MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a17ae871afd094a1aa47e2bf0634b33918b5013097bc429e9571daaad5038b57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a17ae871afd094a1aa47e2bf0634b33918b5013097bc429e9571daaad5038b57
SHA3-384 hash: be9853cce1194dd80c1a56e3981519204c7d8275cde7b9a4fe458e623f9de28e17dcd6a9d344a787fb82e1080d49d447
SHA1 hash: cb66355172b962c72b270c04d46d2bbc56b176ba
MD5 hash: 35c5cae9565e83502ad6ea2fa587efcc
humanhash: arizona-arizona-johnny-north
File name:Product Inquiry Catalogue.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'286'016 bytes
First seen:2021-12-29 06:18:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:c96wXKHFoCCx5nvN2fM6aUTgQXhOuRqKsbd24w/34mpBXhdg0L39j/i+FLMtBagK:lp7h
Threatray 600 similar samples on MalwareBazaar
TLSH T10CE5626C24C34CC2005C5DBCD4F51A69227736010F49DB0BA3AFAC9ED552AC9F56EEAB
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Product Inquiry Catalogue.exe
Verdict:
Malicious activity
Analysis date:
2021-12-29 06:21:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c009ed92-2054-4197-a1ff-213c434d2295

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216764/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.12720.836.9885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Launching a service
Creating a file in the Windows subdirectories
Creating a window
Changing a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Blocking the User Account Control
Moving of the original file
Adding exclusions to Windows Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61cbfe04ec6c6c14a9fad191/reports/cb29fc44-854b-4415-ae3f-0bf073bdc2f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e893f55-b9f9-4385-ad95-509058eb1198
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
87 / 100
Link:
https://www.joesandbox.com/analysis/913690
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546168 Sample: Product Inquiry Catalogue.exe Startdate: 29/12/2021 Architecture: WINDOWS Score: 87 87 Multi AV Scanner detection for submitted file 2->87 89 Yara detected UAC Bypass using CMSTP 2->89 91 Yara detected AntiVM3 2->91 93 9 other signatures 2->93 9 Product Inquiry Catalogue.exe 6 10 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 process3 file4 67 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 9->67 dropped 77 2 other files (none is malicious) 9->77 dropped 95 Moves itself to temp directory 9->95 97 Creates an autostart registry key pointing to binary in C:\Windows 9->97 99 Adds a directory exclusion to Windows Defender 9->99 101 Disables UAC (registry) 9->101 19 30281d0d-0371-4d16-88a8-e94bd0c600f6.exe 9->19         started        21 AdvancedRun.exe 1 9->21         started        23 powershell.exe 26 9->23         started        33 5 other processes 9->33 69 C:\Windows\Temp\efbpe5fs.inf, Windows 13->69 dropped 79 3 other files (1 malicious) 13->79 dropped 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->103 25 cmstp.exe 13->25         started        27 cmstp.exe 13->27         started        29 AdvancedRun.exe 13->29         started        35 2 other processes 13->35 71 C:\Windows\Temp\ypfbcpwj.inf, Windows 15->71 dropped 73 C:\Windows\Temp\dd05zy10.inf, Windows 15->73 dropped 81 2 other files (none is malicious) 15->81 dropped 31 cmstp.exe 15->31         started        75 C:\Windows\Temp\jbaux2l1.inf, Windows 17->75 dropped 83 3 other files (1 malicious) 17->83 dropped 105 Changes security center settings (notifications, updates, antivirus, firewall) 17->105 signatures5 process6 process7 37 PkgMgr.exe 19->37         started        39 conhost.exe 19->39         started        41 AdvancedRun.exe 21->41         started        44 conhost.exe 23->44         started        46 conhost.exe 33->46         started        48 conhost.exe 33->48         started        50 conhost.exe 33->50         started        52 2 other processes 33->52 dnsIp8 54 Dism.exe 37->54         started        85 192.168.2.1 unknown unknown 41->85 process9 file10 59 C:\Users\user\AppData\...\WimProvider.dll.mui, PE32 54->59 dropped 61 C:\Users\user\AppData\...\VhdProvider.dll.mui, PE32 54->61 dropped 63 C:\Users\user\...\UnattendProvider.dll.mui, PE32 54->63 dropped 65 49 other files (none is malicious) 54->65 dropped 57 conhost.exe 54->57         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a17ae871afd094a1aa47e2bf0634b33918b5013097bc429e9571daaad5038b57/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 04:18:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uf5oq4np2ckkdksh4k7qmnfthemlkajqs66efhuvohnkvvidrnlq._file
Verdict:
malicious
Similar samples:
21c97688730d666e13f8b52aeec94371b7996cef7afcd2dd80d0ea1b76b5f3ec
AgentTesla
2443683c507125b6d089b3537e9cb78ef67f0dd8ba5822a7a7ee78ca84feeba8
AgentTesla
366b1df1109608a444a2b0fca15cbb2bcd07b3540cd152baed65018556f3f3e4
AgentTesla
575abacc5769a079c29e1b1032853673df77376f6b6522b00edbd1b1531a1af0
AgentTesla
750adca8e434c3d8cd88be58d28d842b862f6be645ab4b86fef5b6268da9d187
AgentTesla
7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0
AgentTesla
de84340eef0ca9f002d25e7a0ffdc5be906a2b0852c728008b9ac6928c3e7259
AgentTesla
+ 590 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211229-g267nadbdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
Nirsoft
AgentTesla
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocument
Unpacked files
SH256 hash:
1e385473cd2d93551185a6bafe5b7dbd6a61cc7b327a6150a9dc96699b0a0345
MD5 hash:
507bcced130b6ffd3033c11ef24c013c
SHA1 hash:
889c1c609eb9717af4686f6407a1f3d4daff441e
Link:
https://www.unpac.me/results/5451af95-079b-49ca-8c89-441feb2f2df2/
SH256 hash:
f6e832cc366fd8cfeddec741f9e7c59aa893bcd354943840b4bf81d6a465fd10
MD5 hash:
faae6c94e31336a914b98ad740c90e7c
SHA1 hash:
7664c3642420e6e4a86701d8f4ea1c7430450f4f
Link:
https://www.unpac.me/results/5451af95-079b-49ca-8c89-441feb2f2df2/
SH256 hash:
79404201504036712dfe106e4314304c79cb7d4f3d4f6cae1f8fdf31d8413a8e
MD5 hash:
3a06911f0026093a8a2df08560199aff
SHA1 hash:
46a1ad3015a5bcb4e97f3728a874eddefdbbec56
Link:
https://www.unpac.me/results/5451af95-079b-49ca-8c89-441feb2f2df2/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/5451af95-079b-49ca-8c89-441feb2f2df2/
SH256 hash:
db7faf23ea357f435cc55d2c083edd74b2418625c2224ea5af6bfa40f6c934b5
MD5 hash:
8e1eb7d20ad44111944382873f37746c
SHA1 hash:
91d2ed09416701e754796cbda993e42617e1f0db
Link:
https://www.unpac.me/results/5451af95-079b-49ca-8c89-441feb2f2df2/
SH256 hash:
a17ae871afd094a1aa47e2bf0634b33918b5013097bc429e9571daaad5038b57
MD5 hash:
35c5cae9565e83502ad6ea2fa587efcc
SHA1 hash:
cb66355172b962c72b270c04d46d2bbc56b176ba
Link:
https://www.unpac.me/results/5451af95-079b-49ca-8c89-441feb2f2df2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a17ae871afd0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a17ae871afd094a1aa47e2bf0634b33918b5013097bc429e9571daaad5038b57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a17ae871afd094a1aa47e2bf0634b33918b5013097bc429e9571daaad5038b57

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/216764/

Comments