MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f
SHA3-384 hash: 53b98043ccc9fa2380215b8d4b67818d32f8540b3d11e11de5a76f57bb9b981489648e9781d7fbe603144af17d2438f3
SHA1 hash: f0549d5acf472d5f37c918120983a6a48ac9e589
MD5 hash: ba30b4e7b1823d3bbbfa2cdef17cd243
humanhash: mockingbird-river-march-arizona
File name:Avaliablity Accounts.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:670'720 bytes
First seen:2023-05-01 15:38:35 UTC
Last seen:2023-05-13 22:47:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:l0dTnj8vdP5ArlczwGdkpuTHB2h6Y+It/MZlXiZY:ODj8/Ec82b2MY+W/MrSZY
Threatray 622 similar samples on MalwareBazaar
TLSH T17BE4DF176458C98AFD1DCB35C464FBF062B8BCB3E4E594232B763C85F9FAB41190825A
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c0f43ebeb45012b2 (7 x AgentTesla, 4 x Loki, 2 x Formbook)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Avaliablity Accounts.exe
Verdict:
Malicious activity
Analysis date:
2023-05-01 15:41:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75418060-daea-4a9d-95ea-15df80eb792b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385848/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644fdd18463eacbc57db4099/reports/f8a572df-f498-4d17-8918-58cc7b79bb4b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5991197c-3616-4198-a3ca-c993f7e97a9a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224106
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 857059 Sample: Avaliablity_Accounts.exe Startdate: 01/05/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 5 other signatures 2->51 7 Avaliablity_Accounts.exe 7 2->7         started        11 gsLOfRRKEa.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\gsLOfRRKEa.exe, PE32 7->31 dropped 33 C:\Users\...\gsLOfRRKEa.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp6EB7.tmp, XML 7->35 dropped 37 C:\Users\...\Avaliablity_Accounts.exe.log, CSV 7->37 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 Avaliablity_Accounts.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 21 gsLOfRRKEa.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 geodataghana.com 104.245.16.216, 25, 49707, 49708 ASN-VINSUS United States 13->39 41 mail.geodataghana.com 13->41 63 Installs a global keyboard hook 13->63 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 mail.geodataghana.com 21->43 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->65 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal browser information (history, passwords, etc) 21->69 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 15:39:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vi7ipq4in7sehx3rwzo4jbfubai2eu7rvrscu4gfszjzckukiz7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c5cc71cd847d8a2679ec629b631b4d7e1082e7126022ab26ff015298d93a61e
AgentTesla
1ecc2a4139ce825a85a02bef3426dbcb6a37cc2577dd665fe7c41a73fdd58370
AgentTesla
234d425a3c85a27252fa477d05a387a30a6e248f1ea17b2e7fcaac13cb9c8db3
AgentTesla
487684e01b232a60cff5d2eb9c1a438e3b6545a6e2610771084079bdf42764fd
AgentTesla
54ce28992dff46801741011c4bc6f2f893dd21cb5cabe7d59214e584279a7fda
AgentTesla
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
AgentTesla
ba852b38002916eb89dd9ada1f1ff78c308b433732b1600813789f5707ab6d62
AgentTesla
cf6a0127f90f8d0155b5b822830bbe5f0b1966e74f805b4c1814af34df750748
AgentTesla
dd344c32dd59a635e9ebfec3a33f2242178c82498769b995d7fb1c47a34882c8
AgentTesla
f44bc5440ea740d4aa104363157abba31e781936400873d4ac4736506c0b0246
AgentTesla
+ 612 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230501-s3lswsca7s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0d34bbd8f1b13cadcbf158e777980061b6795fd81accd29825205aba00c01cd2
MD5 hash:
a5b325809c4a8fe7c12c56d45e74d8a8
SHA1 hash:
9f77583865f6f4d1467fa2e982be8c6a35723c6c
Link:
https://www.unpac.me/results/54f2b6ac-3bcd-4244-86da-86a52eb16c97/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/54f2b6ac-3bcd-4244-86da-86a52eb16c97/
SH256 hash:
977fcd94dd053d4e28cd5025dce28b042a8e6d382151c9c59cdee0be529c6b34
MD5 hash:
08627b42186e6c4974005e5d721f2dd2
SHA1 hash:
70a565170eb90e58348168c487542421a80b32fc
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/54f2b6ac-3bcd-4244-86da-86a52eb16c97/
SH256 hash:
d8bb4a5f8e70f0110bc5f9e95ec6037c038510793d8643e3f6240a6a61fa8484
MD5 hash:
0c629ac0d54f143a82e6bc7272259d4d
SHA1 hash:
4dd03c62cd77330f9633b867701c94d40b5c54ae
Link:
https://www.unpac.me/results/54f2b6ac-3bcd-4244-86da-86a52eb16c97/
SH256 hash:
078adc24696a65a04c9ea47a0510d3ae46fe9d9a86ee1ddadfcc7f25d574396c
MD5 hash:
37b6bee2e282c1a65af7aa120d4736f4
SHA1 hash:
2a97d8166c4568b7aa860ddbab6c2d3049aef89c
Link:
https://www.unpac.me/results/54f2b6ac-3bcd-4244-86da-86a52eb16c97/
SH256 hash:
aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f
MD5 hash:
ba30b4e7b1823d3bbbfa2cdef17cd243
SHA1 hash:
f0549d5acf472d5f37c918120983a6a48ac9e589
Link:
https://www.unpac.me/results/54f2b6ac-3bcd-4244-86da-86a52eb16c97/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa3e87c3886f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385848/

Comments