MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9
SHA3-384 hash: 50314b5b52d07f70b10050f4e2be22fc359fa2cee4cccbae8e8450520da61c0957c529359a6dc94332cc56e1e352c27b
SHA1 hash: 94b2559e71b72a6c7029b9eda95b1a480eb25ea1
MD5 hash: d525784068f44c8c06b97756f67bca48
humanhash: north-fix-sweet-single
File name:38h4tp20bm85.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'256'960 bytes
First seen:2023-08-10 13:41:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c8cb7a778b504c2b41383b432dbd8883 (1 x AgentTesla, 1 x RedLineStealer)
ssdeep 24576:ydBXwq3wYbKJxMZGmjBB/n0dSmsmIfKNzeAE/Nh/P0tqSQ:+XJbKJxM8MY0msmIfKtenn/PKqZ
Threatray 16 similar samples on MalwareBazaar
TLSH T11645AD3138C68FB2EFD220B506DCBCE296EDB2F0072545D767854BEEA2605D06B3D856
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon a2aa2da8a4e14450 (1 x AgentTesla)
Reporter JAMESWT_WT
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
38h4tp20bm85.exe
Verdict:
Malicious activity
Analysis date:
2023-08-10 13:41:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4bac435-fa86-40b2-be7e-1939074d839e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441946/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18097.1795.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102435/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/64d4e92b2a1db2a88ac75220/reports/ad74050e-879f-4e60-a8a6-c88437b27ade/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/66c2b8ed-42d8-4b8f-9ce8-fef468a8d213
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1289401
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-10 13:40:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ajf4twdvsnjczargmsz2yewibolxge7u4llkm4hjpjequm34o4q._file
Verdict:
malicious
Similar samples:
104169a70b4443342fea2349028c90b5dd65571cfdf0279941783599ccc3302b
AgentTesla
2cac970a74cf3c21383ea093fef86dc2628898343935d2eb7be8802a758548ed
AgentTesla
6b523891d01caaf5b843e9e2bbc51252f12bbab6d6480a5b6ec1a3fa32cfa8c8
AgentTesla
84d136aa66db9cc35aeb9ed4c01b0de7821c7636843fecf1dedbeda6be208206
AgentTesla
a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
AgentTesla
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230810-qznf7sfa8t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
3a50c83b7fdb8ff1c7fa7772895397630777d1b4e0d53ec6fc1e33321c3aa834
MD5 hash:
2754153cd10a00eb10a4856dac2e5522
SHA1 hash:
c32222a4e04725c9e7fa86f13921d59d54c53f94
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/4c6e16d6-4241-4b52-8f49-3463a72f58fd/
SH256 hash:
f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9
MD5 hash:
d525784068f44c8c06b97756f67bca48
SHA1 hash:
94b2559e71b72a6c7029b9eda95b1a480eb25ea1
Link:
https://www.unpac.me/results/4c6e16d6-4241-4b52-8f49-3463a72f58fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8125e4ec3ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2703649/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/441946/

Comments