MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8e8f5c8629513ef5ec5162ca8e5e8a7758917c4a457270e1d438c23ba3a3fa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	b8e8f5c8629513ef5ec5162ca8e5e8a7758917c4a457270e1d438c23ba3a3fa0
SHA3-384 hash:	fb8ec1539e262107041802735071b7af3d2ec51c942ddeea7cbeabc95e0286a9938e098f0d7e1b362c1e71ace40745ca
SHA1 hash:	fa33e053d2c645a3c88a3d5c9f38ad12459e1c15
MD5 hash:	4efef80a9df1e5a4d99f7439000b0c7f
humanhash:	iowa-oklahoma-william-video
File name:	4efef80a9df1e5a4d99f7439000b0c7f.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	606'720 bytes
First seen:	2021-09-22 18:04:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:5iKnVbpe8bfkdLtqDIZQBpCCE/npuCxpbBK3:5LfkbqXBpCCSnpFK3
Threatray	10'168 similar samples on MalwareBazaar
TLSH	T1D6D4902D7A051E72FF1F893449510B64BBA2BF137280A987A3CB75CB876F1672D05C98
File icon (PE):
dhash icon	70f4f0b8b4c4c0d9 (1 x AgentTesla)
Reporter	abuse_ch
Tags:	AgentTesla exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4efef80a9df1e5a4d99f7439000b0c7f.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-22 18:05:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/39e4128d-8493-4406-9668-46f194cfa83f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/190367/

Detection(s):

SecuriteInfo.com.Trojan.Heur.DNP.Lm0@aGreKZjG.12242.4252.UNOFFICIAL

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f279cf10-706b-42b1-8681-d40229d3624e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/855913

Signature

Binary or sample is protected by dotNetProtector

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b8e8f5c8629513ef5ec5162ca8e5e8a7758917c4a457270e1d438c23ba3a3fa0/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2021-09-22 12:48:43 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xduplsdcsuj66xwfcywkrzpiu52ysf6eurlsodq5iogchor2h6qa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

440584979145865d0d4ed8eccb48f90699a2b0c6c6eef0c2162db0d42b1c0fdc

AgentTesla

46096a5640a91cddbb2ea4d49d24f6df8e2d079f68a2559849ee9ff3a50281c3

AgentTesla

50092ce00b7ddc00affb030883d416375fa8acc6139fd8f3ca0ca9d087e2602f

AgentTesla

606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525

AgentTesla

7b41953809b047db74ed61cf3ecceb535e0382a71976b24c1a966be3a5774c80

AgentTesla

93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08

AgentTesla

ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501

AgentTesla

e08e91dd17aa510e2f463e194ad56d50e0a057dd03d1462873d9c9f0a7be9ab7

AgentTesla

e2442b1de26c03cdd8343e1a8f0428a97c341181bc8289d92f2764931dcab744

AgentTesla

+ 10'158 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210922-wn8wnafhfn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot2017480070:AAEhICR2Yy5NwasA-Cw1qaDJiUj6zxLU08M/sendDocument

Unpacked files

SH256 hash:

106a6f70cb2e84a96fe7487e99245e87568b286fad09da3564b86baa503de540

MD5 hash:

8b72329804f9f16f2a3f2f8f40d472a4

SHA1 hash:

c9c69d545b60cd4b9b8f909f50b32eadf8e67211

Link:

https://www.unpac.me/results/13193b9e-6ef9-4264-b2d0-4290914feb17/

SH256 hash:

b8e8f5c8629513ef5ec5162ca8e5e8a7758917c4a457270e1d438c23ba3a3fa0

MD5 hash:

4efef80a9df1e5a4d99f7439000b0c7f

SHA1 hash:

fa33e053d2c645a3c88a3d5c9f38ad12459e1c15

Link:

https://www.unpac.me/results/13193b9e-6ef9-4264-b2d0-4290914feb17/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/b8e8f5c8629513ef5ec5162ca8e5e8a7758917c4a457270e1d438c23ba3a3fa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe b8e8f5c8629513ef5ec5162ca8e5e8a7758917c4a457270e1d438c23ba3a3fa0

(this sample)

Cape

https://www.capesandbox.com/analysis/190367/

URLhaus

https://urlhaus.abuse.ch/url/1639333/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample