MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344
SHA3-384 hash: ee0f71764c6a38dcf4de1b9ed3467d234aca7724bae2ecfd937ba214d01fb76c6549715a48ea244e51c329c2b604ba7b
SHA1 hash: d2c6e8649ecead695eb3375fa8475c9195c729ca
MD5 hash: 02d54f5f44865cec10c52cad5f214750
humanhash: blossom-emma-september-gee
File name:02d54f5f44865cec10c52cad5f214750.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:424'783 bytes
First seen:2023-01-19 15:34:33 UTC
Last seen:2023-01-19 17:39:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:hYa6YgEChmuV0NGqTjtsUuefWbV34ijXHe6tCxi/1tKe5Ijz8R:hYNlmdNB/t3fWlTT/1zI0R
TLSH T1279401F23558D8C3E93A01B2C97EC9760DA47C3912A2251A77A877AF9463323CB1D357
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 68c0e869d4ceccb4 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7A036BD043741ABF9418220000AF124FE75788A5
Verdict:
Malicious activity
Analysis date:
2023-01-19 13:21:41 UTC
Tags:
loader exploit cve-2017-11882
Link:
https://app.any.run/tasks/dc46d27d-e30f-4efe-b032-2243059f6141

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354627/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.2034.28284.6976.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Reading critical registry keys
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61520/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  10/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c965a5deddc48f89f824ba/reports/5ac47dee-6f5f-4728-b633-cfda30d614cf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ba00ca7-ffc9-4cca-8a61-552db3b290a5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154805
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 15:35:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjzetewczigrdqagus4nr5fcniqlrmenqlz27oq23bpl5nissnca._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230119-s1g2xsgd95/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/25153e74-5a10-464b-abcd-61d457745bad
Unpacked files
SH256 hash:
1d08661a3315109de32d286dfcaeaf5ef17bc4e7daee3f7159bddefa3c83b042
MD5 hash:
187656cbd6634996f299560450a75f4d
SHA1 hash:
bbabc9133920d749d1365b6fe9dc55724283bdf1
Link:
https://www.unpac.me/results/63d9b151-efbb-43d3-a6cb-4df294c49aa9/
SH256 hash:
91206e60c7d79d54091b15f4d239f54962d02e66d565034ff461472cbd03a5b1
MD5 hash:
2c86ecce527d0466c09703de5bafbc78
SHA1 hash:
b4d4f3be15deb469e01acb3bce52c6a1ed5f3282
Link:
https://www.unpac.me/results/63d9b151-efbb-43d3-a6cb-4df294c49aa9/
SH256 hash:
f0629b68c4cad832e889b43f39ee43f23095d77c910593d737d38f146ab44353
MD5 hash:
833ae0878f1ffa03ebc7020194337c70
SHA1 hash:
ad51dba5590d57455623e6e4ad8e2e5ffffa8e02
Link:
https://www.unpac.me/results/63d9b151-efbb-43d3-a6cb-4df294c49aa9/
SH256 hash:
aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344
MD5 hash:
02d54f5f44865cec10c52cad5f214750
SHA1 hash:
d2c6e8649ecead695eb3375fa8475c9195c729ca
Link:
https://www.unpac.me/results/63d9b151-efbb-43d3-a6cb-4df294c49aa9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa724992c2ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2350853/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/354627/

Comments