MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d
SHA3-384 hash: d876c4a69fcc16ccddbc0340c136962120015cf3da99adb0505c3ae2458f791f9ddf7f0dac761cd2c229248fb4265705
SHA1 hash: 64960a5178a83b2fe6090a63e45a6b04587fcd6e
MD5 hash: 9ffadfed8c84ef64a24659860e5fffd1
humanhash: thirteen-foxtrot-alpha-seven
File name:SecuriteInfo.com.Trojan.DownLoaderNET.710.3015.14409
Download: download sample
Signature AgentTesla
Create hunting rule
File size:921'600 bytes
First seen:2023-10-18 22:35:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:1/BjRyFp60OLROY3pHKDExEepFDw6xc2vxmOwvx9Af4COuzg:fjRolI1KYrpF06rxmOc9Af4z
Threatray 75 similar samples on MalwareBazaar
TLSH T12A154C3D19BD223BC1A5C6B9CFE5C827F004D86F3421AD6598D7A7A64353A8635C323E
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1ab9657171695108 (2 x AgentTesla, 1 x N-W0rm)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
Formbook
Create hunting rule
ID:
1
File name:
SWIFT copy.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-10-18 15:04:07 UTC
Tags:
Formbook agenttesla stealer
Link:
https://app.any.run/tasks/a3a55b3e-cb5c-428f-8c6f-6c4723f8f9b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.710.3015.14409.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65305dd3cd0633254b8495db/reports/ee60e872-2768-406b-8ced-e2b7073a688a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d4e60d03-8f10-40c4-b9ab-088bc197e90f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328384
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328384 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 19/10/2023 Architecture: WINDOWS Score: 100 40 mail.adityagroup.co 2->40 42 fp2e7a.wpc.phicdn.net 2->42 44 3 other IPs or domains 2->44 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 8 other signatures 2->56 8 SecuriteInfo.com.Trojan.DownLoaderNET.710.3015.14409.exe 7 2->8         started        12 EpaZriPog.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\RoamingpaZriPog.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp3C81.tmp, XML 8->38 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Writes to foreign memory regions 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 46 mail.adityagroup.co 162.241.169.155, 49747, 49749, 587 UNIFIEDLAYER-AS-1US United States 14->46 48 api4.ipify.org 104.237.62.212, 443, 49746, 49748 WEBNXUS United States 14->48 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->72 74 Tries to steal Mail credentials (via file / registry access) 14->74 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 34 conhost.exe 26->34         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 05:11:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcz4d7djuzwewdy5vegkffulizmiaja53wa52zasc76ha3lsdfgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b282c5279640f86929276ce1a52be1ec7e892701954362e5568f254101880b5
AgentTesla
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
AgentTesla
9551b8ab0bc6b210d632f4e4d77238f1ba8ddaefb6e8728c579773ce9eed963e
AgentTesla
9d3b52ca879885a78c6877c9ef71c18fd7584ab7f1aa94e6154edf5fb1d553f9
AgentTesla
bccc2a1036cae75070c4f2df937c91cd36f718a7956103abe42b99d01b4ae044
AgentTesla
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
AgentTesla
d52275a861a9396629e78edca76c3b3cec55980115feadfd0e93ca9c400bbffa
AgentTesla
ecade566a9d6d611fe4ee178d686516aad0c5b0af39d07b8e4d9e7900bb3aec8
AgentTesla
+ 65 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231018-2h8llacb3v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
8022776b3441b4ca869741adea47765e0c0e73f694d1f1f147b2ee0d72a038f5
MD5 hash:
6b50b1a6c9216f9259472f3863f34889
SHA1 hash:
b6ff60556657f7b6685efea506e243f0db04aa38
Link:
https://www.unpac.me/results/55186633-af32-4ac6-8fc3-8fc4012aaa10/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/55186633-af32-4ac6-8fc3-8fc4012aaa10/
SH256 hash:
435555e267f33521f730a8b38f2f9f43d170d412ae31f0580f6ec9375e768daf
MD5 hash:
5c12f6b132b3a19e0a4534dcfc03db9d
SHA1 hash:
4e3bff4881a7ff653020aa3adb161f17798df022
Link:
https://www.unpac.me/results/55186633-af32-4ac6-8fc3-8fc4012aaa10/
SH256 hash:
755796e62c9c0c2f5c5b664838d93083cd1c3290ba666dd84bb497b38a953776
MD5 hash:
27ee6f94451763acb15c427adfddba5f
SHA1 hash:
1c3e2c1148afe19681e50aa0a5ed027581b432e5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/55186633-af32-4ac6-8fc3-8fc4012aaa10/
Parent samples :
1b29fb3263d4305fa8dc267616a040739f8121b24d27506f3764e2f1088c43f4
1d03362107576c4ebcd1c282425e4a7f46a9749d7df874e7005a7cf23b1cc40e
56b42ce524e101188605f0c0f6efaa7f4e77f4754dcb62607e6b53c45e4952be
2e8241eff0540974da2847ba7129a79187a3e5d860d5c3125edd20ee183d74a9
2029b84d785d6e3379aab8455ffd8ddda16c01304d507d9dc009d71186da2009
9551b8ab0bc6b210d632f4e4d77238f1ba8ddaefb6e8728c579773ce9eed963e
1d0a887a3854e98591d1f6b0fc2cdf986d032efad809323223949548860107e8
ecade566a9d6d611fe4ee178d686516aad0c5b0af39d07b8e4d9e7900bb3aec8
b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d
755796e62c9c0c2f5c5b664838d93083cd1c3290ba666dd84bb497b38a953776
7b1cce564dc6d5d24828d9bcf583ab5fd64e3ef6574bff5f079a1c2ba9b043a5
a212cb057ef247f50d13b60031f5ef2527f1d86c79628a7d3d8bc328cbe1ccf6
SH256 hash:
3b59bd6bc4f6130610250b652df87eedac301f2ac12d7ea0a2699db61540b192
MD5 hash:
03b4927f7b811ff1222275c5e83a24a9
SHA1 hash:
0a69966dcab2e8f8198c00ed5b163948fe518946
Link:
https://www.unpac.me/results/55186633-af32-4ac6-8fc3-8fc4012aaa10/
SH256 hash:
b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d
MD5 hash:
9ffadfed8c84ef64a24659860e5fffd1
SHA1 hash:
64960a5178a83b2fe6090a63e45a6b04587fcd6e
Link:
https://www.unpac.me/results/55186633-af32-4ac6-8fc3-8fc4012aaa10/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8b3c1fc69a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments