MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8c4d27fbe32ed66820679795322a60ac9f473ab97867b4cd9cdfa3bb4b3fe4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	c8c4d27fbe32ed66820679795322a60ac9f473ab97867b4cd9cdfa3bb4b3fe4e
SHA3-384 hash:	3c0f041531330be2ee45d4313372ddf730fd3520a6e990bce313000a2c2081ace7c40146cc5a200cc2777d31ebab844b
SHA1 hash:	3132a0a6e3670dd97ba763f920ad874f5c5be540
MD5 hash:	897ee81a9d60ae0c60ca907aff4af65a
humanhash:	oranges-happy-seventeen-illinois
File name:	dhl shipment receipt.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	962'560 bytes
First seen:	2020-11-11 15:16:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3e0c51f5711a5619dc8763ea2a3be01d (10 x AgentTesla, 2 x AveMariaRAT)
ssdeep	12288:wGHrVrcGtP+TdrsLG12VV6PloFbJRi09k84CU40f7p3LD9mQwZSO1gfYzW4l:wGLVY4GTdrsLmA0Z60p3n9mrZafYzW4l
Threatray	30 similar samples on MalwareBazaar
TLSH	FC259D0F39CD17B2E465D431F01E5AA30F6148FDA22F142B37C4FAEE14E9BA28645799
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Artemis.13760.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Unauthorized injection to a recently created process

Creating a window

Launching a process

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/531650

Signature

Detected unpacking (creates a PE file in dynamic memory)

Drops PE files with benign system names

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8c4d27fbe32ed66820679795322a60ac9f473ab97867b4cd9cdfa3bb4b3fe4e/

Threat name:

Win32.Trojan.Bluteal

Status:

Malicious

First seen:

2020-11-11 09:10:09 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zdcne756glwwnaqgpf4vgivgble7i45ls6dhwtgzzx5dxnft7zha._file

Verdict:

unknown

AgentTesla

04a3cf2c1316b5dd21365ac36bc970cc9b28514d42d41712c783345e07a99a07

AgentTesla

09944e1f48bf7f92a9302b2fb104e20ede5d5a897dd2107f795175e0cfa405e0

AgentTesla

1beeee8be1d1210689501aea9ee2ff97fba886b65ecb5fc92a9ef0f732021428

AgentTesla

22a1fa0244b13dcbce7f57bf490cddfa7294570c35399fee154b0fe8205e4734

AgentTesla

344ae78ecc8cac02bb3dcd94c654b74543db829984f903f57dfab395639bfc72

AgentTesla

348acef68bed5a0d2f034135b22cedae642fe96251ab3d7ad150163403c3a145

AgentTesla

4b4ce2070aa958e7431643fc10c4b96ca8612747a2d5e0bf23ae31013ed71b59

AgentTesla

90951c565539e5a0688a20b7eb41991851666bf3defc80ca4414dc39ebf9590e

AgentTesla

efce4b4309987f45ebc256f2d489446ebdea2b2a31056f65459cc59589aeecdb

AgentTesla

+ 20 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201111-j6ppcwe26x/

Unpacked files

SH256 hash:

c8c4d27fbe32ed66820679795322a60ac9f473ab97867b4cd9cdfa3bb4b3fe4e

MD5 hash:

897ee81a9d60ae0c60ca907aff4af65a

SHA1 hash:

3132a0a6e3670dd97ba763f920ad874f5c5be540

Link:

https://www.unpac.me/results/2a32495a-55f9-440c-8960-2d874d34b911/

SH256 hash:

f1f261f8a12b0eb81355e51c743eba8981adfbc9cf0792e7d108d893f4c9b337

MD5 hash:

0f13bbf40ce19b63a62b15930d3d0a7e

SHA1 hash:

2b2509592dc4a66209b880332ad71d40d63bcb87

Link:

https://www.unpac.me/results/2a32495a-55f9-440c-8960-2d874d34b911/

SH256 hash:

78624d2dc40d66940af7fcc223f793e015b207976037b48c4e2e4b2a1ac4ff57

MD5 hash:

d3a87f29c6138ee19f0c9ea5ed8c5451

SHA1 hash:

39d65bd3003219738ba8d342319a048e8e3a1902

Link:

https://www.unpac.me/results/2a32495a-55f9-440c-8960-2d874d34b911/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.