MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
SHA3-384 hash: 307bb1883f4e1401daeb63717ebb1fa151d8c3c47de1c9196dc96bd1743791bf9c5ba66256c879eadd5ad8df5ce45cfd
SHA1 hash: d609d1e0243b5a975642e278aa32a17171626c20
MD5 hash: 92ff863995fbd2133afe58a26b0abb37
humanhash: undress-speaker-yellow-jupiter
File name:ORDER01032021rfggfscan.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:30'328 bytes
First seen:2021-03-01 07:29:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:mUL+IiGpQV6JRX5ql0D2ur/uUVewEQpqF6hm:1lJJQl82ubuUVeV7
Threatray 2'927 similar samples on MalwareBazaar
TLSH 69D29FF376E5061BF47A0F38BD63F1B00ABCBA432D13F46E6564524F297960058ADE26
Reporter abuse_ch
Tags:AgentTesla bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER01032021rfggfscan.bat
Verdict:
Malicious activity
Analysis date:
2021-03-01 07:40:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76e75be5-66d2-4095-a147-3788385697f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120144/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Creating a file
Blocking the User Account Control
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/621857
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujhv6szs3onw2kcodk6zczak5775ctomfq6hwokc62t4alh5x3ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1817a8f184410911c6b9066527e88931d69296564be916ed0b2029c20c684bbb
AgentTesla
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
AgentTesla
79b276630a955b4f8940424fc1e85a1020cdc2d777c2760e8d696a932bb06f47
AgentTesla
90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4
AgentTesla
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AgentTesla
a8a9cb21be93047b223bd90d741d9eabdde0d1272f738f4c64720e5caceafe89
AgentTesla
abec75c995b6bac05ca3aa49002dedb12a4fc7194e93f814f3edbb996d9cfa7a
AgentTesla
c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50
AgentTesla
db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99
AgentTesla
fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
AgentTesla
+ 2'917 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210301-flcp9ql2x6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
MD5 hash:
92ff863995fbd2133afe58a26b0abb37
SHA1 hash:
d609d1e0243b5a975642e278aa32a17171626c20
Link:
https://www.unpac.me/results/18e71f18-f8a6-409c-bdae-e8a725ac9be1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120144/

Comments