MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8aabfb2b5aeee025f4a6d963c8761011efb74797e37ee89fd37ae5c23f7f2945. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8aabfb2b5aeee025f4a6d963c8761011efb74797e37ee89fd37ae5c23f7f2945
SHA3-384 hash: 88087a99a23ad49b96e9abea0f6b4688c26f3da10193825240391edb4caa89e0b92ac17629d4a13955827a02eb851a98
SHA1 hash: c4bf2530258ebc9740579f4c04e4064fc7333fca
MD5 hash: c1db1dcb04fbab26dc96a94d9b22dcbf
humanhash: magnesium-grey-illinois-ohio
File name:c1db1dcb04fbab26dc96a94d9b22dcbf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:975'360 bytes
First seen:2021-04-27 11:45:38 UTC
Last seen:2021-04-27 12:58:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:pA12gGLR8YL0i+LUK2Uu6IMWqUmBD/dy:+kl98YJ+QVUWrkB7d
Threatray 4'771 similar samples on MalwareBazaar
TLSH A025CF3122E89A0AE0BE573AD8760210A7F0F907D322DACE6D9594DE2D757C0C67F752
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quote - P75D53 - FATP- RF.xlsx
Verdict:
Malicious activity
Analysis date:
2021-04-27 07:37:01 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/f1f70b6a-32f8-44d8-b554-5dcc9161fcb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144561/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.680.6300.25635.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/698961
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 398398 Sample: UU7rw1Z2KD.exe Startdate: 27/04/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 8 other signatures 2->58 10 UU7rw1Z2KD.exe 7 2->10         started        process3 file4 40 C:\Users\user\AppData\Roaming\FhxdkbCQe.exe, PE32 10->40 dropped 42 C:\Users\user\AppData\Local\...\tmp5481.tmp, XML 10->42 dropped 44 C:\Users\user\AppData\...\UU7rw1Z2KD.exe.log, ASCII 10->44 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 10->60 62 Adds a directory exclusion to Windows Defender 10->62 64 Tries to detect virtualization through RDTSC time measurements 10->64 66 Injects a PE file into a foreign processes 10->66 14 UU7rw1Z2KD.exe 10->14         started        17 powershell.exe 24 10->17         started        19 powershell.exe 23 10->19         started        21 3 other processes 10->21 signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 23 explorer.exe 14->23 injected 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 21->31         started        process8 process9 33 msdt.exe 23->33         started        signatures10 46 Modifies the context of a thread in another process (thread injection) 33->46 48 Maps a DLL or memory area into another process 33->48 50 Tries to detect virtualization through RDTSC time measurements 33->50 36 cmd.exe 33->36         started        process11 process12 38 conhost.exe 36->38         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8aabfb2b5aeee025f4a6d963c8761011efb74797e37ee89fd37ae5c23f7f2945/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 06:51:37 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkv7wk2253qcl5fg3fr4q5qqchx3or4x4n7orh6tpls4ep37ffcq._file
Verdict:
malicious
Similar samples:
3d5aa5168803be81252e6f8c0d7100bbb9dd53558077557b5fb3fad255b402f4
AgentTesla
6c2f5bf673b3bbc31cf425259cd5a0262094e85a8bed03714c7b39712efc4beb
AgentTesla
85b4775a04277a6a2273bf9c72b75f9154dd3d89f6f504e08d6ef32588f8ca2a
AgentTesla
9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389
AgentTesla
9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
AgentTesla
a8599ed108a38560de3851540edbbf3b83fc87a0f56fb883a24d6fda82b90c8f
AgentTesla
c1b9977e66c9439e03addc95d4a6fc8b5325cacfdb040d74a973f678d45342ef
AgentTesla
d68888aa1e155ac65bd1ddabcf05f61bfff65f79a11cc0ee099200c3da8c5d35
AgentTesla
e096e858f6e33e79359f9be68c43cdb8536c99a6282adb420496e11b12a4aa4c
AgentTesla
ec265177529ab61116c59e3361436b6c4f9e48bbef4488d2d3a97ebdb2f9837a
AgentTesla
+ 4'761 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210427-cw5zls1h9n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.kelurahanpatikidul.xyz/op9s/
Unpacked files
SH256 hash:
11cf5a51e593c007ff4f91294cf505ffd5e425e56387c60d81e6479cc284cc3b
MD5 hash:
73cc3f7e7700e6a54cb5f291dffe5aa1
SHA1 hash:
09174f9fa55c9bac0540efb7a8c682878a32d02d
Link:
https://www.unpac.me/results/2ab4b416-75b9-4328-a0e8-db26cfc52120/
SH256 hash:
8aabfb2b5aeee025f4a6d963c8761011efb74797e37ee89fd37ae5c23f7f2945
MD5 hash:
c1db1dcb04fbab26dc96a94d9b22dcbf
SHA1 hash:
c4bf2530258ebc9740579f4c04e4064fc7333fca
Link:
https://www.unpac.me/results/2ab4b416-75b9-4328-a0e8-db26cfc52120/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8aabfb2b5aeee025f4a6d963c8761011efb74797e37ee89fd37ae5c23f7f2945

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8aabfb2b5aeee025f4a6d963c8761011efb74797e37ee89fd37ae5c23f7f2945

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/847209/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/144561/

Comments