MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a96e81ab89b3f962fb6281960569afc001c76f1a1af0866eb615db5b1824f9ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a96e81ab89b3f962fb6281960569afc001c76f1a1af0866eb615db5b1824f9ef
SHA3-384 hash: 44d4408fa87f40f6cf211da52224371f52e01988d9605ab0e38b9cf244aa6b350f6c969915cf8275ca8e86514b8e63b5
SHA1 hash: 6ff749b5e5547c3eecb0648c3e3f9c3121f52178
MD5 hash: dd6e337d4f8e3dc491ca73ba597c9181
humanhash: four-mississippi-pluto-arkansas
File name:yswrwire.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'634'624 bytes
First seen:2022-03-22 20:53:35 UTC
Last seen:2022-03-22 22:53:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:+6jLQ5/7zlD1mRs+L2PeeYw/GcnuSAo/bQU589sQnHh6RCAJx:+d17hwRs+LoOcuSAo/MU5gs8HgQ
Threatray 208 similar samples on MalwareBazaar
TLSH T19F26338EFB408775C4291DB0B861485103266F3968B2DB6CB99972FA37FF3644646F23
File icon (PE):PE icon
dhash icon f9c9c9c8dcc1ce0c (13 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255187/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1260.10581.15115.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623a37730cd58dbd92d9741b/reports/032b696e-db2c-4dd0-83ed-a4a09ccc5d2d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c440c8af-0cbc-482f-9cd7-f98cc7c45f7b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962053
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a96e81ab89b3f962fb6281960569afc001c76f1a1af0866eb615db5b1824f9ef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 19:52:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfxidk4jwp4wf63cqglak2npyaa4o3y2dlyim3vwcxnvwgbe7hxq._file
Verdict:
malicious
Similar samples:
1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8
AgentTesla
2f6494f24666fb1ab5fb211ee4b41d0fd370535a111fa1f81878371b96a98c80
AgentTesla
59776aeed92ab1a3d508358e5042e3cae20f5d7ae85e6c1e7bc3d97024ef5698
AgentTesla
664d01b3c99b6b4ce88556cc8ca1705fba37b0463b91d367cb2384f45b9de8ce
AgentTesla
9af4529917fe99ddec31841af17f0391908bc9b68d387f8ae3a9899cdbcb2315
AgentTesla
abcdd8e778aa71065141457f413012aca2a8d404e498aa15ee49332d0f33dc58
AgentTesla
ae37bee148d1523236eef975fd02b5c461bae3e9edd4dfcb12d76a0b8015a5fe
AgentTesla
df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2
AgentTesla
e6b0dd81d55376a0d817800218cb06cfa6aa169ae337e4f1ba5c3b29bc0251d8
AgentTesla
+ 198 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/220322-zpwt9sabe6/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
UAC bypass
Unpacked files
SH256 hash:
fb25a9c15a2e8dfdba138997519bd312da019aedbec7f439c1fc736b2b54bf67
MD5 hash:
6a1b63f069b261cfb3941e5aec802aaf
SHA1 hash:
ed2b8362847aea8ebda3951376bac8f6ce15731e
Link:
https://www.unpac.me/results/49ab4b68-0224-4014-a6e6-98b3f858503f/
SH256 hash:
5ad9824ff3286a83dd5191586c52961dcae359fdbf2caf692b1175a58db008dc
MD5 hash:
692d722668bdf5604461fc922e5e6df1
SHA1 hash:
869cad7d52ffe702b791e0be7a3fb2a56a1b8c82
Link:
https://www.unpac.me/results/49ab4b68-0224-4014-a6e6-98b3f858503f/
SH256 hash:
301642ff8826ac264d1a78b36237b5ece99cb31a2d9cecd04aafb3449679d94b
MD5 hash:
f08268ddb5c1236b947fe2864860fc98
SHA1 hash:
772410110fee00fc53939b94c2f64069fa824cf4
Link:
https://www.unpac.me/results/49ab4b68-0224-4014-a6e6-98b3f858503f/
SH256 hash:
67903b7f5614a8820f98b354a38fe524ac14f2bca1a651e5e62b6115f29d706d
MD5 hash:
2cbb3c7f08f2590e17ab9b829a3f5d54
SHA1 hash:
041239568406e0dade21ef6d72b3181aa00164e7
Link:
https://www.unpac.me/results/49ab4b68-0224-4014-a6e6-98b3f858503f/
SH256 hash:
4e97a7e6544f4e4d75652b7812376dda06274c21ad94e67b2ba912d49927dd5a
MD5 hash:
2bad87d1bb6c9804705c81b56731aa43
SHA1 hash:
303f30103acdff64c7b6343fe08259775fde776d
Link:
https://www.unpac.me/results/49ab4b68-0224-4014-a6e6-98b3f858503f/
SH256 hash:
a96e81ab89b3f962fb6281960569afc001c76f1a1af0866eb615db5b1824f9ef
MD5 hash:
dd6e337d4f8e3dc491ca73ba597c9181
SHA1 hash:
6ff749b5e5547c3eecb0648c3e3f9c3121f52178
Link:
https://www.unpac.me/results/49ab4b68-0224-4014-a6e6-98b3f858503f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a96e81ab89b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a96e81ab89b3f962fb6281960569afc001c76f1a1af0866eb615db5b1824f9ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a96e81ab89b3f962fb6281960569afc001c76f1a1af0866eb615db5b1824f9ef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/255187/

Comments