MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8eb1f317af04fac903ebe9c922d5ebfe86b21fda22d4cb3c4362002d1f55f69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	d8eb1f317af04fac903ebe9c922d5ebfe86b21fda22d4cb3c4362002d1f55f69
SHA3-384 hash:	291480c093c6d2b86b5ee0a52f9359fb32d839aebeaf759df1ace7a2586e23b4a5693318e8f004447457371337dc982a
SHA1 hash:	d905c6f6ae4baabc5576436e58124f7b788a6c08
MD5 hash:	99adf97b77d6b1d9fb811624c54a9b23
humanhash:	lactose-spring-dakota-seven
File name:	blessed.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	687'104 bytes
First seen:	2022-11-02 13:48:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:KQAgHtDg5xE1eWAqQB4gQ3e5zejd0WxJrySSEDpzObkHkRWdSSohJUB9PVfd/Nhp:14WgQMep0krySWwkQSDodfd2i
Threatray	19'635 similar samples on MalwareBazaar
TLSH	T15EE4C02429EB521EF273DF711FD479EE89AEF6332606B47E149107C64712E01CE9163A
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0c00ccecb892b1a8 (9 x AgentTesla, 5 x Formbook)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Docs.xlsx

Verdict:

Malicious activity

Analysis date:

2022-11-02 09:03:23 UTC

Tags:

encrypted exploit cve-2017-11882 loader agenttesla

Link:

https://app.any.run/tasks/2f9c9d4f-7c3b-4829-aaff-dded785d03ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/327189/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.48175.29057.12006.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Forced system process termination

Сreating synchronization primitives

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63627554736e9d884f0dde33/reports/1481ff84-fd72-4d5f-8095-34c49815b0d6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ba6fa7c-2b95-4863-810b-1fbf18db7e89

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1103320

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

.NET source code contains very large strings

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8eb1f317af04fac903ebe9c922d5ebfe86b21fda22d4cb3c4362002d1f55f69/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-02 13:47:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3dvr6ml26bh2zeb6x2ojelk6x7ugwip5uiwuzm6egyqafupvl5uq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

51a2542d1b273f9d3d1c1b8817d77451c46bdb03e22c7b25c05f383b289305d0

AgentTesla

53ef40bd7a3f40011262485f65a14550440b994ed5e902c9e8896bf22d2519cf

AgentTesla

66ad671957356b0a979ac4ce68ade78f8ddfda2dabd4e1dc0b1ec68a1ac6dcf5

AgentTesla

add9c8baf898a95f7fda191fc281bbd09f36d8548fec2169d53e1998a6baca48

AgentTesla

e590ea69c4cb25b6267f395529ae988293e7cedd0ebe8bfcf0d98ae91e35bffd

AgentTesla

+ 19'625 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221102-q4p6lahcc2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b3aff3a3-39c5-485e-998a-a65d57d005c7

Unpacked files

SH256 hash:

e590ea69c4cb25b6267f395529ae988293e7cedd0ebe8bfcf0d98ae91e35bffd

MD5 hash:

61f9ac5773da429ada5bba98b13dfcae

SHA1 hash:

e9e8a04294a20f204238f339236ea74a1cfe2093

Link:

https://www.unpac.me/results/c98a4f65-cd02-45b2-bed7-c924617641ac/

SH256 hash:

a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59

MD5 hash:

404efdeb9931733904da07f96fabeb72

SHA1 hash:

7ce363cd612f1d9a90b33ec196c4d0a49cdaee02

Link:

https://www.unpac.me/results/c98a4f65-cd02-45b2-bed7-c924617641ac/

SH256 hash:

1686d3ecace375dbaa5877eb12ddcf5a88bae26d600e4abe51a98a4a0ea5600c

MD5 hash:

2f2127769211cd013ec0c8064f4edbc0

SHA1 hash:

40d061d7a328765c79c381c6f4fb6b19415f6cf0

Link:

https://www.unpac.me/results/c98a4f65-cd02-45b2-bed7-c924617641ac/

SH256 hash:

d8eb1f317af04fac903ebe9c922d5ebfe86b21fda22d4cb3c4362002d1f55f69

MD5 hash:

99adf97b77d6b1d9fb811624c54a9b23

SHA1 hash:

d905c6f6ae4baabc5576436e58124f7b788a6c08

Link:

https://www.unpac.me/results/c98a4f65-cd02-45b2-bed7-c924617641ac/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d8eb1f317af0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/d8eb1f317af04fac903ebe9c922d5ebfe86b21fda22d4cb3c4362002d1f55f69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/327189/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample