MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8bf210bb2533eda6afc8946885e7071dfa88175cab94f63aa3f9b9858d462f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8bf210bb2533eda6afc8946885e7071dfa88175cab94f63aa3f9b9858d462f5
SHA3-384 hash: 79ac5148443aaf2ed11fa4203a02b48e15b390a56a6ce1633de1cfbfcd7f7b2a832bce064b2a1cc3dbbd8febe1006f03
SHA1 hash: aa5312654237d20dde30028c9de8724bac01fb2c
MD5 hash: 6a1245c9f627a0086d66c79e9fbbccdd
humanhash: cola-missouri-tennis-mississippi
File name:11056jpg
Download: download sample
Signature AgentTesla
Create hunting rule
File size:494'992 bytes
First seen:2020-11-12 12:52:03 UTC
Last seen:2024-07-24 20:45:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'797 x AgentTesla, 19'707 x Formbook, 12'278 x SnakeKeylogger)
ssdeep 6144:IPf1wLfunyj/3DDNtGpF2qjnthBRxcvE5/dXeC7JMb3pXf+G9:m9w0+DepF2ihBRxcvK/4GY
Threatray 39 similar samples on MalwareBazaar
TLSH E6B416F6381F412AC5AA2E71CC50CA81BF7D5BC2BA02571DF49E633C2DA472E63065D6
Reporter JAMESWT_WT
Tags:AgentTesla

Code Signing Certificate

Organisation:CRYPTOLAYER SRL
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 17 00:00:00 2019 GMT
Valid to:Oct 16 23:59:59 2021 GMT
Serial number: 105440F57E9D04419F5A3E72195110E6
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: E95C7B4F2E5F64B388E968D0763DA67014EB3AEB8C04BD44333CA3E151AA78C2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Heur.KT.2.Em2@a4AX3lh.8797.15366.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/532656
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315429 Sample: 11056jpg Startdate: 12/11/2020 Architecture: WINDOWS Score: 80 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AgentTesla 2->39 41 .NET source code contains very large array initializations 2->41 7 11056jpg.exe 4 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 2->13         started        process3 file4 27 C:\Users\user\ijbsg.exe, PE32 7->27 dropped 29 C:\Users\user\ijbsg.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\11056jpg.exe.log, ASCII 7->31 dropped 45 Drops PE files to the user root directory 7->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->47 15 cmd.exe 1 7->15         started        17 ijbsg.exe 7->17         started        20 ijbsg.exe 1 11->20         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        33 Multi AV Scanner detection for dropped file 20->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->35 process8 signatures9 43 Creates an autostart registry key pointing to binary in C:\Windows 22->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8bf210bb2533eda6afc8946885e7071dfa88175cab94f63aa3f9b9858d462f5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 11:32:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xc7scc5skm7nu2x4rfdiqxtqohp2ralvzk4u6y5kh6nzqwguml2q._file
Verdict:
unknown
Similar samples:
1cf9635133972859e226ccff6a787c9bb8d2ca6471ae5a9650b3841625072444
AgentTesla
1f5a8eb777f80c4d298076898354c9587e50efac145a01a3e88b79eb2be1c67c
AgentTesla
3a080bd2bc175ba929ce56ebeb07c3603d63a968eca9d74e8ad76a66e59988a1
AgentTesla
4f6b764220fed379fef259157d521dd0fc888fee4ae776f7bc1d7e8579fb4af5
AgentTesla
50e781f81383ec2a395e7cfc2e75acf89b97b1472530a5f6d6863e3b8d64fd2d
AgentTesla
5da82dd52f913ff5d416ec5479133a0f89cd5d835d2fbd964f32191f642ca9fa
AgentTesla
b2fed8b3b9b722c41bbdc8f6dc1cf229ecd5618191ced89759c4e4fe298cd7fc
AgentTesla
ba262cdbcdb92da5aebe0e7ef1c7b17a183d7d9f058d6e73e977ed5c129ea0d0
AgentTesla
c1d8a5609784204c52e0983eab129b809e6fdba68361b22ace4e7e973cdd3468
AgentTesla
e33cc945d6b0681de6b34b52f0cb609676cdf5f3ecf61f4122b64d7a7e74b5ca
AgentTesla
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201112-aky35ftaks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
9b966d593ad49785e31b7fc3f6f988b366c7a84b900836a3d94e67207fa179e3
MD5 hash:
b3a46eb9cdb2e120f5677c22a4000beb
SHA1 hash:
26a17884703c2cbbd36fcf4524ad24c34a2812fc
Link:
https://www.unpac.me/results/9d549379-d9f6-481d-ad03-df2c699f0f49/
SH256 hash:
b8bf210bb2533eda6afc8946885e7071dfa88175cab94f63aa3f9b9858d462f5
MD5 hash:
6a1245c9f627a0086d66c79e9fbbccdd
SHA1 hash:
aa5312654237d20dde30028c9de8724bac01fb2c
Link:
https://www.unpac.me/results/9d549379-d9f6-481d-ad03-df2c699f0f49/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b8bf210bb2533eda6afc8946885e7071dfa88175cab94f63aa3f9b9858d462f5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/810605/
  
Delivery method
Distributed via web download

Comments