MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8f7de322d54c0e00485e12571d9f7b3f36cd375b2307ba3ce0d6f04fca582e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8f7de322d54c0e00485e12571d9f7b3f36cd375b2307ba3ce0d6f04fca582e6
SHA3-384 hash: aa3df8f883c6344840d5c11d3e33ba95c5691c074ccad96e97944c781eb42f9ed37cb829fe80e2f7288a2f5c16fffbc5
SHA1 hash: 046e1a1d4fd004982a29d80d041d2095885dfb56
MD5 hash: 97fdf1fe1045dd9a906a5c38e7718ff3
humanhash: nevada-oven-india-muppet
File name:jzWRsmPoshNViFq.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:463'872 bytes
First seen:2020-09-14 13:44:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:PHB22iN+v2zv1gEydMeBIcr/CLZJAljpSXrjyJqNa7rl:Y1T2Hy6rTCLDARpOrjpa
Threatray 149 similar samples on MalwareBazaar
TLSH 7AA40211F3D0E738F1BD5B761590233003F5956AEA22F76CAFF625FEB932A814260256
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59212/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/465420
Signature
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 285121 Sample: jzWRsmPoshNViFq.exe Startdate: 14/09/2020 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 8 other signatures 2->39 7 jzWRsmPoshNViFq.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\tBpzAABJIUdV.exe, PE32 7->19 dropped 21 C:\Users\...\tBpzAABJIUdV.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpCAC7.tmp, XML 7->23 dropped 25 C:\Users\user\...\jzWRsmPoshNViFq.exe.log, ASCII 7->25 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Injects a PE file into a foreign processes 7->45 11 jzWRsmPoshNViFq.exe 15 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.transfopam.com 69.73.168.29, 49727, 587 NTHLUS United States 11->27 29 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.203.47, 443, 49726 AMAZON-AESUS United States 11->29 31 3 other IPs or domains 11->31 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Installs a global keyboard hook 11->53 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8f7de322d54c0e00485e12571d9f7b3f36cd375b2307ba3ce0d6f04fca582e6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 04:05:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3d354mrnktaoabef4esxdwpxwpzwzu3vwiyhxi6obvxqj7ffqlta._file
Verdict:
suspicious
Similar samples:
02d5133bd2c5538f7a5905b1065c5e7968112fd5b9dc55e384fabd66cab80257
AgentTesla
21a4a2ebe866efae474358e77674e85962327f1817adf7e80e68ff46fcc3e5cd
AgentTesla
6bff20fdd96d8000c8ed41646f581c79b1ecbf6843d4afebe5d749fb7570cbef
AgentTesla
9e10fc41c094333b40f9561869350e0a1d13eb78ef325b0d3fe2f4086f119b57
AgentTesla
9feaaac33b02f7cad79f1993ee78c2b7436b23d521dd42a28917220d8c155736
AgentTesla
ad7d44ac220a79646260a35e5b3b74bf3af016a176998895e36015014c8a6a6c
AgentTesla
b9225c079305112fcd1d5be698796eb426a668779daff06b99986266c161ab52
AgentTesla
d0ced70a4b700dc5e0905bf3743a224ac4722139d7507e367c32880c72ecd048
AgentTesla
d16f475314b8ed74ae76ed8fec7f39a6ef5a40eb989ab23eb0763460d2237ffe
AgentTesla
d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c
AgentTesla
+ 139 additional samples on MalwareBazaar
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/59212/

Comments