MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8aad37f11743588002ae17b9be7e92afe8389e29e3522d02b2541fcb0d18fbea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8aad37f11743588002ae17b9be7e92afe8389e29e3522d02b2541fcb0d18fbea
SHA3-384 hash: c2911da49fd52bd731acc352baa4c4d939ccd1c0ee7cf4157212956675fde12ae8afd8e215708be3de63b0fbe4433334
SHA1 hash: ee7561695b83cb3d97313be2e3226cdc7b6a62b0
MD5 hash: 29658e5b29a0c600319dd07609003428
humanhash: july-zulu-wolfram-early
File name:Updated SOA - (USD1,963.00).pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:725'504 bytes
First seen:2021-09-03 05:20:35 UTC
Last seen:2021-09-06 05:06:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:vFJLgG0FUgL910bpB90u+gua7zPE1X572ad/gs2MDNGslgFBoxmTJEAmg+:lgL8F0UszXYsb4vFBoxmFEAmD
Threatray 9'392 similar samples on MalwareBazaar
TLSH T1E5F41E3E58FE2327D166C7F5CBE58823B1C49DAF3132A92557D767264322A4634C322E
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Updated SOA - (USD1,963.00).pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-03 05:23:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91a5776d-6041-4934-b420-b5ebbbc44bda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185010/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a recently created process
Launching a process
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f09ab7be-e2c6-4cc1-a341-8d9e8596dd71
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844521
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476952 Sample: Updated SOA - (USD1,963.00)... Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Found malware configuration 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 12 other signatures 2->72 7 Updated SOA - (USD1,963.00).pdf.exe 7 2->7         started        11 kprUEGC.exe 4 2->11         started        13 kprUEGC.exe 5 2->13         started        process3 file4 42 C:\Users\user\AppData\...\fRJeRKhVNbhWt.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp61DE.tmp, XML 7->44 dropped 46 Updated SOA - (USD1,963.00).pdf.exe.log, ASCII 7->46 dropped 74 Injects a PE file into a foreign processes 7->74 15 Updated SOA - (USD1,963.00).pdf.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 kprUEGC.exe 11->22         started        24 schtasks.exe 11->24         started        76 Multi AV Scanner detection for dropped file 13->76 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->78 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->80 26 schtasks.exe 1 13->26         started        28 kprUEGC.exe 2 13->28         started        signatures5 process6 dnsIp7 48 mail.sautiyapwanifm.com 198.187.31.108, 49739, 49740, 587 NAMECHEAP-NETUS United States 15->48 36 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 15->36 dropped 38 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 15->38 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->52 54 Tries to steal Mail credentials (via file access) 15->54 56 Modifies the hosts file 15->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->58 30 conhost.exe 20->30         started        50 192.168.2.1 unknown unknown 22->50 40 C:\Windows\System32\drivers\etc\hosts, ASCII 22->40 dropped 60 Tries to harvest and steal ftp login credentials 22->60 62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 64 Installs a global keyboard hook 22->64 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8aad37f11743588002ae17b9be7e92afe8389e29e3522d02b2541fcb0d18fbea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 02:31:29 UTC
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkwtp4ixinmiaavoc64347usv7udrhrj4njc2avskqp4wdiy7pva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
075d98e62c3f5fcbff5c865c72ca862087052e56f0bca4d564595be759f5f2cd
AgentTesla
129b0eec0aa5c415ff6ad11445c5fca395785ea83127aba7061022fd7519f648
AgentTesla
6446aa9e6d05fbf19b8458e5ee6d3f10f9eb5a874c98290712aa7453737b7a8c
AgentTesla
a88fde97391eb9c0a240190df20a348700826d0e4f0649aa22c0768b757d4b1f
AgentTesla
c1869d79f9a68684a0cdf7c9c0a4a6315b16c1ca377e9ee98ccb452268398a26
AgentTesla
e9b0fc924a612f4d7317166b26e9bc6fc4807ffeb3c91accb34e851326617190
AgentTesla
ee4b55a0b460933a61523d5c7ba71f9a4723323f31791777560b63f829f9e2bd
AgentTesla
+ 9'382 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210903-f1z7aaccf2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9a569be1313734a7a5657149f890204e1246833e80ac0e45c15b9ebc972cfa99
MD5 hash:
db1ca79a10eb8debc020653b67a41ed4
SHA1 hash:
c9aff868749946879d85e0c75c11a085d3c244c2
Link:
https://www.unpac.me/results/b70edd6b-8b9c-4c85-bb56-304b94c54f43/
SH256 hash:
65ce7135bccd1a569fee59f41ea2f7640a133ff58ec77aa0ec3257f429dca6c7
MD5 hash:
8be7eb57def1b2fc8006033b9266fa61
SHA1 hash:
927fe0fca8fae50474e1191d5e00a9fd68293a11
Link:
https://www.unpac.me/results/b70edd6b-8b9c-4c85-bb56-304b94c54f43/
SH256 hash:
8b2d1caf7637d41b0b8c614633f19c5943dfdc7c8b86f8fc28c977f77cd40292
MD5 hash:
23755008bbeed2650ace19ed612b3257
SHA1 hash:
884de2d26ca8acd9aaa16eb3425d1a558dec0252
Link:
https://www.unpac.me/results/b70edd6b-8b9c-4c85-bb56-304b94c54f43/
SH256 hash:
8aad37f11743588002ae17b9be7e92afe8389e29e3522d02b2541fcb0d18fbea
MD5 hash:
29658e5b29a0c600319dd07609003428
SHA1 hash:
ee7561695b83cb3d97313be2e3226cdc7b6a62b0
Link:
https://www.unpac.me/results/b70edd6b-8b9c-4c85-bb56-304b94c54f43/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8aad37f11743/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8aad37f11743588002ae17b9be7e92afe8389e29e3522d02b2541fcb0d18fbea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8aad37f11743588002ae17b9be7e92afe8389e29e3522d02b2541fcb0d18fbea

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/185010/

Comments