MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8
SHA3-384 hash: 8f01cc5a44e0bf73db17d14e248c6655fdd7de44870e37e92e52feeebcb53808badde340bf111d6bd100580cf6ce5df0
SHA1 hash: ff8f1e92c0b16fcc67b9fe5ac42487734a05b9d7
MD5 hash: 85176d66f3f6e6e0dba229d9b2bd1d71
humanhash: carpet-red-fish-california
File name:New purchase order.XLXs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:827'904 bytes
First seen:2021-09-23 14:15:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:hwmtiK5oZsQt7zUROsZxKKdnROz9vdwfD0FAlxk:K+FoZsQtvU0srTRc1dk3
Threatray 10'505 similar samples on MalwareBazaar
TLSH T1FE058AD86D898A13D3944532DC5D6219326C6C0A3723835BDBE63E773EFE283C52D58A
File icon (PE):PE icon
dhash icon a28aa2e2e0aaa2a2 (14 x Formbook, 11 x AgentTesla, 5 x SnakeKeylogger)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New purchase order.XLXs.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 14:29:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f659ab7b-676c-48b7-ba65-24ecf19622e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190793/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e60a88e2-25db-474c-b835-61ef3e8dc5a5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856687
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 23:50:05 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwciplc57g5f4kek5nf56irgmeo32gkcuvop3oj37hk7g7qqhsua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2204721fb0f43f4a2b68a990ac7486515729270a573070155b47fbdac95c3183
AgentTesla
487d2a06544320c28cac33f3c9f46496dc127baab12192ceefd237b48ce02a47
AgentTesla
5a72b38c3ea9ca9b5a3e10a3c1c14e6ab3e26d6a1cc4afdf5e9c818175bb9ea5
AgentTesla
72684a74349ce5fc82b27e2a5db12508ff040c352f920ed69fc688162f722c74
AgentTesla
8607e20a0ecebc432c593b19b11354cafcddf7658bf0dcd8547dee3ad9872471
AgentTesla
8a0d96c6ab22bc62611c7cad581ca536d766063570117e0ddb1747828b5afc96
AgentTesla
91d6b1ee61fc676affdcead674c1d17c2d62f7aacc1a757e4071af6134fc2847
AgentTesla
aa3fd5cbc23ac2bc4be0b2a6c5ac09700e26e8403f37c4b3ad8342edea9e06bf
AgentTesla
c79c207fbde525a5b0aee8317bb5d3734b18a24f664501b57abc6eca3b41c01d
AgentTesla
ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df
AgentTesla
+ 10'495 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210923-rk585seecp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e60c71a3cafa86b370e02270a19023068c2a9491e6e621fac6cda033eb488081
MD5 hash:
132db1617757bd8770383741aa28b9fa
SHA1 hash:
d77cf66e14b5935df3ab42d51131d135a5e897fa
Link:
https://www.unpac.me/results/6d906d6d-79da-494a-beb9-aab2544345d0/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/6d906d6d-79da-494a-beb9-aab2544345d0/
SH256 hash:
83d6771bfaeb3c80d61de53c3d4c686883cfc6f0af67be4671dac06e84cca3d8
MD5 hash:
b3e5c2d560a6d7fcedff14dc02c59ad0
SHA1 hash:
b58a80f3915a3c1ca067e99242609f5e89d6ccb6
Link:
https://www.unpac.me/results/6d906d6d-79da-494a-beb9-aab2544345d0/
SH256 hash:
ec34278adc573fe39026033f4df892cedc496c1b70caea61e5c0dc5fe46f5983
MD5 hash:
35f82854c5f57a4c85c51b21af3aaee3
SHA1 hash:
2abce2e8c89854813604c0efa9249f8375fc15a9
Link:
https://www.unpac.me/results/6d906d6d-79da-494a-beb9-aab2544345d0/
SH256 hash:
cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8
MD5 hash:
85176d66f3f6e6e0dba229d9b2bd1d71
SHA1 hash:
ff8f1e92c0b16fcc67b9fe5ac42487734a05b9d7
Link:
https://www.unpac.me/results/6d906d6d-79da-494a-beb9-aab2544345d0/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cd8487ac5df9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190793/

Comments