MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1addaf4427d6aaad756983d66ee3377f6a54bb0834db9b07fa125cb75efc9dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1addaf4427d6aaad756983d66ee3377f6a54bb0834db9b07fa125cb75efc9dc1
SHA3-384 hash: f72831bc7f98b5dccafa73df579b6afc69eb1b1598481078eeed4601a883121ad9a5be2ce5b16cfb737979fa8ecc27e5
SHA1 hash: ca20eea9f59d46cd222206cfcedd128799c1fbd9
MD5 hash: 207d01a3a7b9a7daeaa70d034130faee
humanhash: ten-mirror-zebra-yellow
File name:SecuriteInfo.com.W32.AIDetectNet.01.29249.818
Download: download sample
Signature AgentTesla
Create hunting rule
File size:744'960 bytes
First seen:2022-06-21 08:34:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8+wvoVrpQBO1zMCg+eKjAfda188IOOB6MDaFE1YpHBZR6KQVmtokYVhhM:83vM9TVjn6a28k3YPZ24tQhh
Threatray 18'588 similar samples on MalwareBazaar
TLSH T127F401F58FF8B966E16520737060A03C77E31E1EDC51D82AC6DBF18A3496AC125E4E1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281827/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.29249.818.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62b1829208903778452c8410/reports/70ae1c3f-aeb8-4c67-969b-16f12b512c67/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39ef338b-8d86-4bf7-8ed4-afdf0fd6771b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1016901
Signature
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1addaf4427d6aaad756983d66ee3377f6a54bb0834db9b07fa125cb75efc9dc1/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 06:04:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlo26rbh22vk25ljqplg5yzxp5vfjoyigtnzwb72cjoloxx4txaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
236281e1cdcf5f66e82b0987ea332c2193961a62f97d5a661e4303b12b582d41
AgentTesla
3498e69e334581c805530427ca10f48bdfd3c4084cb8a55c4046589b15cf9d74
AgentTesla
4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1
AgentTesla
554bf783cd947c0743e81f65c550a45eae8a4021b1e1700b590939dd3cae3321
AgentTesla
65b329e466d4e90c97d6d4d2732a531547db9ee7bb3a6c344c420260d14764c3
AgentTesla
f1c11fdaa554d55ae653cf3af3477d0a79eac18c0f6b5c6453586fbb70dc9036
AgentTesla
+ 18'578 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220621-kgz5dscdhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
dc657374235679cfe626bfa505e4095073275f22b02d3a3f1bd06cd96b83632d
MD5 hash:
45a97c3a35e743a9e8ec816564fb2838
SHA1 hash:
d89cc8c7cea67e2c8b54b43a3b20edc76172f82e
Link:
https://www.unpac.me/results/b526b313-4922-4cc2-85f1-754f5b648162/
SH256 hash:
c7455c4b38e91352027b3c29eaf9f22c39885028bc88d7a010f4d65b16a38011
MD5 hash:
358a4ed8ad27c8f6e9d0f1e015be1208
SHA1 hash:
cbaa43102318f37e72e2483df72fad052d724efc
Link:
https://www.unpac.me/results/b526b313-4922-4cc2-85f1-754f5b648162/
SH256 hash:
6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e
MD5 hash:
7ce2d10bd0f02667bc0e1343d9ffc1c1
SHA1 hash:
c3a5b4e5721085022eb7bf0008b7e449f9369fcf
Link:
https://www.unpac.me/results/b526b313-4922-4cc2-85f1-754f5b648162/
SH256 hash:
4da42963f16e070e9afe2be3e5be790e1e716e8ced739c57c97c2dfd8a406908
MD5 hash:
b83ce766985e8413f7ba162af60c48aa
SHA1 hash:
23fa05cfd98b26ce72b57f79f554b8de68b3569d
Link:
https://www.unpac.me/results/b526b313-4922-4cc2-85f1-754f5b648162/
SH256 hash:
1addaf4427d6aaad756983d66ee3377f6a54bb0834db9b07fa125cb75efc9dc1
MD5 hash:
207d01a3a7b9a7daeaa70d034130faee
SHA1 hash:
ca20eea9f59d46cd222206cfcedd128799c1fbd9
Link:
https://www.unpac.me/results/b526b313-4922-4cc2-85f1-754f5b648162/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1addaf4427d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1addaf4427d6aaad756983d66ee3377f6a54bb0834db9b07fa125cb75efc9dc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281827/

Comments