MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ae5abd5ea0bc9742adcf468c68d5149af2a579ded5d4b85097df4d191c9f62d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	9ae5abd5ea0bc9742adcf468c68d5149af2a579ded5d4b85097df4d191c9f62d
SHA3-384 hash:	99c0fca3ea88aab32d67e29f50ca1c0cc419c3991734ad5384af2810b1c95b2ab87874161044c48f655d6ad489e97f24
SHA1 hash:	a6df7b734c9944e5bde31040f818ebb0474ac34f
MD5 hash:	809e84358a4d31a64d19d9b8497503f7
humanhash:	high-echo-delaware-spring
File name:	SecuriteInfo.com.W32.AIDetectNet.01.17738.30918
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	799'232 bytes
First seen:	2022-06-06 10:51:32 UTC
Last seen:	2022-06-06 11:31:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:0V+sS1HbsP3kyJQqVyvW8paFNnIeqSfS6db:A/o7m3kyJWWWaFKSzdb
Threatray	18'173 similar samples on MalwareBazaar
TLSH	T16205D02076AAA24CC92B4F724C3658C05B753A677F09CB4E285A138CDC67A578F127F7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	10c0e0bc90909000 (12 x AgentTesla, 12 x Formbook, 7 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.17738.30918

Verdict:

Malicious activity

Analysis date:

2022-06-06 11:02:06 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/15409cbc-3c98-46a5-93ad-0fdfa00b233e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276966/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.17738.30918.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/629ddc6be22d00d5e1942e8e/reports/dfacb2b4-b8b9-4587-9250-026d29cc8f2a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb70d29c-a62a-433a-b1b3-9c5d56932688

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1007272

Signature

.NET source code contains very large array initializations

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ae5abd5ea0bc9742adcf468c68d5149af2a579ded5d4b85097df4d191c9f62d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-06 08:01:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tls2xvpkbpexikw46rumndkrjgxsuv455vouxbijpx2ndeoj6ywq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4fec5400f6123353f23459460c3329573f7b4f0a473082ed1e0dbb3ca3c36e80

AgentTesla

60ad9b79fa3fd8d43aad5145ae7916fe04f55e487864946cad9523eaa8de02dd

AgentTesla

c2cc26cf1ca74f4fc3417d33bf12e4715e9b031d20b7208664bdec373bd528c4

AgentTesla

d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a

AgentTesla

d285dd9606cf62e393b6203a843a9a0392da885f2f427106885bff3ebafef759

AgentTesla

defbeba113680db4e014a2b34be77a64529d1e0d5fb837e732eec92b842d364d

AgentTesla

ef85f9069eb8f860d143a599a3fe891ddff4341b3f6da959c69e6b6b22d3f53e

AgentTesla

+ 18'163 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220606-mydntsfed6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

910c752634281e8e006219d9d427e5a61fd5f3fff0fb7b0ffbab0e914eaea3f2

MD5 hash:

09aa8cbb42d7e4ab44829340bf8b640f

SHA1 hash:

f03da319355f0999f92a0005857975014e8ae728

Link:

https://www.unpac.me/results/b309b151-fb3a-4528-b1cb-e687d5e2e9c1/

SH256 hash:

40fa0186d1bf650379e32b1799715f9fd3fef7f06321a32cbf8303e4fcf48b19

MD5 hash:

64f6fac61e0954a5f0b85f7306a8e956

SHA1 hash:

623d4f6f49785765624453afbfb1172e6025e78e

Link:

https://www.unpac.me/results/b309b151-fb3a-4528-b1cb-e687d5e2e9c1/

SH256 hash:

8e88aaa9014d04b1ef25dbcda8ddd06017be33b89c185a0ef60e84ce07d4aa82

MD5 hash:

dbcd32a3fceab5491cf57ec1d665f4d2

SHA1 hash:

5805fb72ee86ee4420fd14790b29ee0651d35def

Link:

https://www.unpac.me/results/b309b151-fb3a-4528-b1cb-e687d5e2e9c1/

SH256 hash:

ca40e8e69e4f1894cd1d48363f03808693e589d951920ce11feb5f7320140c8b

MD5 hash:

1698c4339fd5d3ea90539f3eb52e4c2b

SHA1 hash:

278c12bffbb04e7341b6514560bd0a358b7d3029

Link:

https://www.unpac.me/results/b309b151-fb3a-4528-b1cb-e687d5e2e9c1/

SH256 hash:

9ae5abd5ea0bc9742adcf468c68d5149af2a579ded5d4b85097df4d191c9f62d

MD5 hash:

809e84358a4d31a64d19d9b8497503f7

SHA1 hash:

a6df7b734c9944e5bde31040f818ebb0474ac34f

Link:

https://www.unpac.me/results/b309b151-fb3a-4528-b1cb-e687d5e2e9c1/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ae5abd5ea0b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ae5abd5ea0bc9742adcf468c68d5149af2a579ded5d4b85097df4d191c9f62d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample