MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8c4477971a15461d08f74725d2922f5e2400d857f539648a3b4f9ea940a8ab8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8c4477971a15461d08f74725d2922f5e2400d857f539648a3b4f9ea940a8ab8
SHA3-384 hash: 0a2ef5225a09fe2893915bd2ffdd5c284be07b972ce5027a10a77f5b133d9dfea995cc88fd3b073a19806881f26c9a7b
SHA1 hash: d8b54f60fa927e1bcb8a2f1aa789b8fcff425245
MD5 hash: 52960f977b511bb88664a0177320a26a
humanhash: sink-wyoming-table-oscar
File name:52960f977b511bb88664a0177320a26a
Download: download sample
Signature AgentTesla
Create hunting rule
File size:866'816 bytes
First seen:2023-03-24 06:46:46 UTC
Last seen:2023-03-24 08:27:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:A8Q2EUZGsr81JwXMTdnYMTg0HgB7C3/XmSeoyglFt:RQ2zZOsMTdds9B7CvNl/
Threatray 1'605 similar samples on MalwareBazaar
TLSH T11705D004BD260D36F4FBD2B05050233A0B65FB655421EA998AFB689E6CEBFE301D055F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7aca8abab4a4b8da (33 x AgentTesla, 32 x SnakeKeylogger, 4 x DarkCloud)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3d64a167c2f313bac10c89b3d591be13
Verdict:
Malicious activity
Analysis date:
2023-03-24 02:59:27 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/db1a8522-13c8-46f7-9507-f4243f2b9aeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377036/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif packed threat virus
Link:
https://www.filescan.io/uploads/641d476a9c109cf74b2f0f39/reports/273bedc9-92e3-44a8-ae35-42a9eb35f552/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d8c4477971a15461d08f74725d2922f5e2400d857f539648a3b4f9ea940a8ab8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5db64347-cde3-4b58-9a27-9c16b1019b39
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1201010
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 833913 Sample: Z7sPY67Vv8.exe Startdate: 24/03/2023 Architecture: WINDOWS Score: 100 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AgentTesla 2->56 58 2 other signatures 2->58 7 Z7sPY67Vv8.exe 7 2->7         started        11 gcWPrHZ.exe 4 2->11         started        13 uHqcLQ.exe 3 2->13         started        15 gcWPrHZ.exe 2->15         started        process3 file4 40 C:\Users\user\AppData\Roaming\uHqcLQ.exe, PE32 7->40 dropped 42 C:\Users\user\...\uHqcLQ.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpE29F.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\Z7sPY67Vv8.exe.log, ASCII 7->46 dropped 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 7->72 74 Adds a directory exclusion to Windows Defender 7->74 17 Z7sPY67Vv8.exe 2 5 7->17         started        22 powershell.exe 22 7->22         started        24 schtasks.exe 1 7->24         started        76 Multi AV Scanner detection for dropped file 11->76 78 Machine Learning detection for dropped file 11->78 80 Injects a PE file into a foreign processes 11->80 26 gcWPrHZ.exe 11->26         started        28 schtasks.exe 11->28         started        signatures5 process6 dnsIp7 48 us2.smtp.mailhostbox.com 208.91.199.224, 49707, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->48 36 C:\Users\user\AppData\Roaming\...\gcWPrHZ.exe, PE32 17->36 dropped 38 C:\Users\user\...\gcWPrHZ.exe:Zone.Identifier, ASCII 17->38 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->60 62 Tries to steal Mail credentials (via file / registry access) 17->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->64 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        50 208.91.199.223, 49708, 587 PUBLIC-DOMAIN-REGISTRYUS United States 26->50 66 Tries to harvest and steal browser information (history, passwords, etc) 26->66 34 conhost.exe 28->34         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d8c4477971a15461d08f74725d2922f5e2400d857f539648a3b4f9ea940a8ab8/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-24 06:47:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dceo6lrufkgdueporzf2kjc6xreadmfp5jzmsfdwt46vfakrk4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
AgentTesla
4bb9b346c5379d2cfc1b8719449e5b8d1a8bdabf2cf1820229e508b5561f70b0
AgentTesla
4c4b6b6c0f4c2a19e46b2ac062954cfc17abce214a422fde206fbe9e28a13766
AgentTesla
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
AgentTesla
8c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b
AgentTesla
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
AgentTesla
ff6721bb19c4960cb936ec5825c666964ba12a43cb900beb3dee291aa0842b98
AgentTesla
fffced1bdcc75250611ac4f91371db4df50cbff8d915940e2c37ce762b172c34
AgentTesla
+ 1'595 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230324-hj77nseh3v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
922c79635feee0857e7065d571df08e613edddb9a8eeaf37fd497426c39fda31
MD5 hash:
7a671057e498b02d070b62185cda8eff
SHA1 hash:
f69807aa3276d41e8916ec02bcfcdb746767c5ba
Link:
https://www.unpac.me/results/5dd90f49-812a-4b2b-baef-951bdb55e9f5/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/5dd90f49-812a-4b2b-baef-951bdb55e9f5/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
cde0d3400cd787fce5d1b95fa52908d64831430cc90dafddbaa79ae0d03bb3d0
MD5 hash:
06a5bc1d3143bcac174d81c5ffc09def
SHA1 hash:
650fb4549fb98ee4c7be5e03bf670241e6339cd0
Link:
https://www.unpac.me/results/5dd90f49-812a-4b2b-baef-951bdb55e9f5/
SH256 hash:
bd67fb6ce9e5e3a1a0919f3327648b0cc94a32890bf2cd29eea05e62c9fa1e19
MD5 hash:
619fd810ec051bbac2f7da259fec7a61
SHA1 hash:
2fab2daa79e378331ec0068f9f826b9fd7ad3d5a
Link:
https://www.unpac.me/results/5dd90f49-812a-4b2b-baef-951bdb55e9f5/
SH256 hash:
12c9c2ce45233e418b1c26ece1244e9d2f987fa1a4bfb573c8cdecf4c2ca8fa9
MD5 hash:
73ff22bac97a14581694182d69bfde07
SHA1 hash:
04f64a247f0b36ced2dee6d9a5806720f4c70de1
Link:
https://www.unpac.me/results/5dd90f49-812a-4b2b-baef-951bdb55e9f5/
SH256 hash:
d8c4477971a15461d08f74725d2922f5e2400d857f539648a3b4f9ea940a8ab8
MD5 hash:
52960f977b511bb88664a0177320a26a
SHA1 hash:
d8b54f60fa927e1bcb8a2f1aa789b8fcff425245
Link:
https://www.unpac.me/results/5dd90f49-812a-4b2b-baef-951bdb55e9f5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d8c4477971a15461d08f74725d2922f5e2400d857f539648a3b4f9ea940a8ab8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2583952/
Cape
Cape
https://www.capesandbox.com/analysis/377036/

Comments