MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8e39ad2627acb33afc0af7f1534f5a48bb49b4aeb46e2ed15f102bb065e62b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8e39ad2627acb33afc0af7f1534f5a48bb49b4aeb46e2ed15f102bb065e62b4
SHA3-384 hash: 9159f4db3cbdc713042284fb755bc981bc63007aacb6d0127d0329c3a764ad4ac8a87232842421babc14776c9b25853d
SHA1 hash: 4da1fe69eae3db93f11fbc3653348b7ec1402f25
MD5 hash: 8ac0fc791fb8cd4e0c546a002e51963d
humanhash: whiskey-south-four-stairway
File name:SecuriteInfo.com.W32.AIDetectNet.01.23925.25842
Download: download sample
Signature AgentTesla
Create hunting rule
File size:624'640 bytes
First seen:2022-06-15 05:39:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:L8GZn6/KBOgHlEixn8JWZ9jSA5ceeZK6glbLfEgJ2tWN:rICO4WQ8JW9jb5FbbHJF
Threatray 17'497 similar samples on MalwareBazaar
TLSH T1C3D4E02163BC4369D67AE7BDF42050A107F9B667717AE3AD4F4130CE1992BC28533A63
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.23925.25842
Verdict:
Malicious activity
Analysis date:
2022-06-15 05:49:55 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/2528e839-ba81-43af-86f9-4340c154938b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280028/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.23925.25842.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a970c92d4be2eac84f2480/reports/2cae1ea7-ca1b-416e-8b7f-3bd57de6015e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aebb1db8-c406-47c4-9ca8-fbdaba0b3c55
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013429
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 645922 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 15/06/2022 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected AgentTesla 2->37 39 4 other signatures 2->39 6 aajqkC.exe 3 2->6         started        9 SecuriteInfo.com.W32.AIDetectNet.01.23925.exe 3 2->9         started        12 aajqkC.exe 2 2->12         started        process3 file4 41 Multi AV Scanner detection for dropped file 6->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->43 45 Machine Learning detection for dropped file 6->45 14 aajqkC.exe 2 6->14         started        25 SecuriteInfo.com.W...et.01.23925.exe.log, ASCII 9->25 dropped 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->47 49 Injects a PE file into a foreign processes 9->49 18 SecuriteInfo.com.W32.AIDetectNet.01.23925.exe 2 7 9->18         started        signatures5 process6 dnsIp7 27 192.168.2.1 unknown unknown 14->27 51 Tries to harvest and steal ftp login credentials 14->51 53 Tries to harvest and steal browser information (history, passwords, etc) 14->53 55 Installs a global keyboard hook 14->55 29 mail.egygulfgroup.com 50.87.248.111, 49759, 49775, 587 UNIFIEDLAYER-AS-1US United States 18->29 31 x1.i.lencr.org 18->31 21 C:\Users\user\AppData\Roaming\...\aajqkC.exe, PE32 18->21 dropped 23 C:\Users\user\...\aajqkC.exe:Zone.Identifier, ASCII 18->23 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->57 59 Tries to steal Mail credentials (via file / registry access) 18->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b8e39ad2627acb33afc0af7f1534f5a48bb49b4aeb46e2ed15f102bb065e62b4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 01:21:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdrzvutcplfthl6av57rknhvusf3jg2k5ndof3iv6eblwbs6mk2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21a1fe67e4c65a5e6abcc621c2db92a3acb969fe922f8be1d2245c23d78b141d
AgentTesla
2cb04eecfa244cba67a5bb51021c39605e37a75cd8231be675944c50443cc85e
AgentTesla
43cb3ca80aa1ca82132bfede80febbf74cb511ae3a683a4f0e26ff8a11b87367
AgentTesla
54d48500414b67ed625499d5d6e77230e4e460622d96d5d333a32aea4573ca9e
AgentTesla
5db110dfb57b23725b541beb1cf53e421e94ad03e87b33c8471c96f6a7e3dadc
AgentTesla
cdbaf4e28adc82d41a24e859b2476217a1ba2c9142cc354e652f9644760fb23f
AgentTesla
f44758774bed0b815e7620d5e8937fd98a0313d10e3334e08424df68f09dc0a7
AgentTesla
+ 17'487 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220615-gcwdvsfedl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
5e95b92999dc337f367d2c8e91e68daadbcdfc537d2d11fa2612ce68a58e8d04
MD5 hash:
e3df2dd40f0ce5dcd593a52653983ca4
SHA1 hash:
d7d895a35867dc41c8a03ab5ec3aa4e38e1a08a3
Link:
https://www.unpac.me/results/ea67e44f-c304-4bde-b27c-401d60229d71/
SH256 hash:
f1757fd24d07dc82f5d1ca4f304f003e6d4fe61d6888a540305603c6cba431ed
MD5 hash:
bb705ad4a3a6c94fddb89969e9dee61b
SHA1 hash:
b3c73cfbed351632c13b4a93f4590794f278223f
Link:
https://www.unpac.me/results/ea67e44f-c304-4bde-b27c-401d60229d71/
SH256 hash:
446e5b81d2ec8677dda0c6dc4bdfb2e9765006e61de2236f8d2802b22efc2f9e
MD5 hash:
05a5a73e4ceae43379afe16c743183ba
SHA1 hash:
80a7d403da46728e91daa39af03bce74decd9371
Link:
https://www.unpac.me/results/ea67e44f-c304-4bde-b27c-401d60229d71/
SH256 hash:
766886dac87e15a87c7179ea2ca01692018fa03b8497d73ea15eb0d66fd9df16
MD5 hash:
acfd5f40e993ec105453f3ed3a1a6c1f
SHA1 hash:
2423197f12411dffa52f9db4f7684607beec7db8
Link:
https://www.unpac.me/results/ea67e44f-c304-4bde-b27c-401d60229d71/
SH256 hash:
b8e39ad2627acb33afc0af7f1534f5a48bb49b4aeb46e2ed15f102bb065e62b4
MD5 hash:
8ac0fc791fb8cd4e0c546a002e51963d
SHA1 hash:
4da1fe69eae3db93f11fbc3653348b7ec1402f25
Link:
https://www.unpac.me/results/ea67e44f-c304-4bde-b27c-401d60229d71/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8e39ad2627a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8e39ad2627acb33afc0af7f1534f5a48bb49b4aeb46e2ed15f102bb065e62b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280028/

Comments