MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114
SHA3-384 hash: 68340c4bb03a4dc653f87ff0571b8125ce6e3824d3b0b39d8fb1b3a31941caebc9df03f0ec7b41e94b0c9c3f0ba3409b
SHA1 hash: a618462130536e3a2d3c06a03473a584a1f4c070
MD5 hash: 9a2273d43305150b70e4cfa69bff2231
humanhash: double-video-vegan-orange
File name:9a2273d43305150b70e4cfa69bff2231
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'113'088 bytes
First seen:2023-10-13 20:47:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:vF1MS4NKeVxu4lWyQLQ85hadZ69wD3l6wklN5K8c6a:t127nUyqQnv6AglN5Kb
Threatray 419 similar samples on MalwareBazaar
TLSH T12B35242C0CF809124161E1AEDFD8EA57B1C08CD6664C9DA687C68F995A1393BF09FD3D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Purchase Order 9000011644.xls
Verdict:
Malicious activity
Analysis date:
2023-10-13 20:14:54 UTC
Tags:
opendir exploit cve-2017-11882 loader stealer agenttesla
Link:
https://app.any.run/tasks/75834b47-9a25-43e4-964e-281280a1fe26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454211/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi control lolbin packed replace
Link:
https://www.filescan.io/uploads/6529ad038d16e62970c555af/reports/1751243b-8774-46e9-b7a8-5a9e89fd23c5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d1c4c74-3e7d-4767-b4b3-ba9835cbc887
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325489
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1325489 Sample: rgknl0tZcG.exe Startdate: 13/10/2023 Architecture: WINDOWS Score: 100 36 mail.obmindia.com 2->36 38 api4.ipify.org 2->38 40 api.ipify.org 2->40 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 7 other signatures 2->52 8 rgknl0tZcG.exe 7 2->8         started        12 OaNWuw.exe 5 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Roaming\OaNWuw.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmp317A.tmp, XML 8->34 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 8->56 58 Adds a directory exclusion to Windows Defender 8->58 14 rgknl0tZcG.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 22 OaNWuw.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 42 api4.ipify.org 64.185.227.156, 443, 49708, 49711 WEBNXUS United States 14->42 44 mail.obmindia.com 85.187.128.58, 49710, 49712, 587 A2HOSTINGUS United States 14->44 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->66 68 Tries to steal Mail credentials (via file / registry access) 22->68 70 Tries to harvest and steal browser information (history, passwords, etc) 22->70 30 conhost.exe 24->30         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-10-13 08:00:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7d7cwlvhpyip6wuck26bo7zjtuyoyvqbkggw7ut54lkztviwueka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
261eb7c731cb98ad18fa86952bc4f0c923d9f1080e63b98536382f71de2729b9
AgentTesla
7527698e11a5f07d7a6c17f471943a9473857e724d394f043677eb59bf4dbf17
AgentTesla
7bf686345ac371853ed908a4b3bdd046477cfa4e74aa8ebe2ba48689f2bbb8e7
AgentTesla
8a0caf3a314acdd946e058b936136c755e7701c1384b1f632075c0bc8d958bcf
AgentTesla
95146fd91e53797e70aa24b0a662c345ea9c0ed0500e9a996506d3c79433304c
AgentTesla
d58f020149bf471223bd3df04f402e3d3e5710bc788646df28d61791dcdda2aa
AgentTesla
efe1847d37281288a5717c6366547aa0a1d79a06e4847ea0517066067a8f046d
AgentTesla
febd8601144ffe589e545c704e0734c6df24df1f9570e842c00bf3d5a7ce72d5
AgentTesla
+ 409 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231013-zle3cahg4x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a040efb5ce92995b5d40fd2536c8ad6a93f2d8584a3dd52f07cdb0b34c9e6e29
MD5 hash:
a5a52675690de850e3de6c05a9bd885f
SHA1 hash:
fd953edf2e910fbb43c9e6d4c8d48632bb4e55c6
Link:
https://www.unpac.me/results/57526463-9dc6-4001-a226-e95a0eb5374d/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/57526463-9dc6-4001-a226-e95a0eb5374d/
SH256 hash:
25c1ef5ed797b8a95e34a1189c1faabf924ae398c4038183ed618031aa34f6d8
MD5 hash:
d099471da0a8234b62a0bddc96c05079
SHA1 hash:
a095601c8abbad27899a4a34d6cca798d603595e
Link:
https://www.unpac.me/results/57526463-9dc6-4001-a226-e95a0eb5374d/
SH256 hash:
0fec508c14eee01d9b12546efe4498e73250c743b6d3aa6930b4a43df35c3aa7
MD5 hash:
c086ef628caf638d338f9177541ab1d1
SHA1 hash:
0d32a4ac36642dc0de88a3f554a8982165c847c2
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/57526463-9dc6-4001-a226-e95a0eb5374d/
Parent samples :
f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114
6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9
SH256 hash:
f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114
MD5 hash:
9a2273d43305150b70e4cfa69bff2231
SHA1 hash:
a618462130536e3a2d3c06a03473a584a1f4c070
Link:
https://www.unpac.me/results/57526463-9dc6-4001-a226-e95a0eb5374d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2720359/
Cape
Cape
https://www.capesandbox.com/analysis/454211/

Comments


Avatar
zbet commented on 2023-10-13 20:47:12 UTC

url : hxxp://107.173.4.18/220/audiodgse.exe