MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa8ea9312104712e372d739df721750a11198910517ce57d5d9615347b7f196c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa8ea9312104712e372d739df721750a11198910517ce57d5d9615347b7f196c
SHA3-384 hash: ae45adc891be89f6a01fd04bf4aeec5e103e8336a8e52e84be185344d356dac695b6ef3e2422f2d61b4c0a51e2b5f2af
SHA1 hash: a4e15d7b5cd7c37a187422b768c04d1eb49cb278
MD5 hash: 262fc218a18f15e79e79383d7bded8a5
humanhash: single-high-ceiling-nine
File name:IMG-Scanned_POs# PSB-17398902, PSB-18384789.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:711'168 bytes
First seen:2023-04-26 06:18:48 UTC
Last seen:2023-05-13 22:52:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:MgHc86XDnpfOA++GV+rpgYUyhmhVEzbjLBOghnKxtm0QOzSTmhUGRgaxMUYCPQFC:MgZ67pfOA++tl+rkvjL/hKxt5WmzxpYw
Threatray 2'601 similar samples on MalwareBazaar
TLSH T111E4232E32951B31C9BB57FA0269408053F49713E64AFB186EC591EC62F37888B1DDB7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter JAMESWT_WT
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
394
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG-Scanned_POs# PSB-17398902, PSB-18384789.exe
Verdict:
Malicious activity
Analysis date:
2023-04-26 06:20:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7462589d-abca-4731-8d5a-6d51e293081c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384992/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6448c25932d814bb2259cce9/reports/724c7402-a77f-45e0-8e76-2a57b6847917/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/aa8ea9312104712e372d739df721750a11198910517ce57d5d9615347b7f196c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c4140da-0615-42b0-a02a-673775099803
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1221227
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa8ea9312104712e372d739df721750a11198910517ce57d5d9615347b7f196c/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 04:01:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkhksmjbarys4nznooo7oilvbiirtciqkf6ok7k5sykti637dfwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02bd19db008421b6974fb5794030f064630942d926606f6f183bbc6926192399
AgentTesla
092c894a726504aa35af4e5b0ddb81738403a24556d4c86f3e9d404d63bd7f10
AgentTesla
10378a656282ac8e5d676229bc2151b553e50906495bf0bfe6ec4c93373dc2a8
AgentTesla
28471ea3ac3b278f41668a52712af9747df51f80fac749edaf403dbaaef116a7
AgentTesla
5453c16d0530e3bf32f870269a92db07188195005273c769b05752f4bb7c18e1
AgentTesla
57d148e97edd36a56b6cb5fdfae00c5224b198f9660426e68f4a0555844d803b
AgentTesla
729b3e10a37e42bba3f9999ce8a17bc69f8642d86420f05836a5d0271a718efc
AgentTesla
dfa9c347f104abbdb4bfdcfd98c45370d9df69b9cdf8cd573c5c00a2970523aa
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
ffef2423a18b6a9c7cea5e976c71cd5f5dbdacdc70bc0a08237443aad6dacf6c
AgentTesla
+ 2'591 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230426-g26wwsfe28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7c44a001cf52b3f167401a2632660d3ccfb39adf38133fc131482cdc2e650564
MD5 hash:
da15c83bc525f1201510ed8adb9686f3
SHA1 hash:
f827ed68566e1950e82ccfdddac043b12a85856e
Link:
https://www.unpac.me/results/65f7ecbb-94d6-4f5e-a5c0-86d70a5e37a2/
SH256 hash:
b3a49fd45c1385251827981adb1de0f3987e7b5f3d2ef8e235a5e4185099c1f6
MD5 hash:
b118d38005b62c40523e7901a8120710
SHA1 hash:
f822a047b0dc86830005ac916906b53a0b12db95
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/65f7ecbb-94d6-4f5e-a5c0-86d70a5e37a2/
SH256 hash:
a7097c72708a95009b4fa6aedddf29efe37c6fbb5a5af48a7e305f20a52e5a4f
MD5 hash:
4da87d7121a08a83660e9a24cd43fad3
SHA1 hash:
eacf409a5b577ba171eb2d7f908f42fb255b0783
Link:
https://www.unpac.me/results/65f7ecbb-94d6-4f5e-a5c0-86d70a5e37a2/
SH256 hash:
315fb8682eba6d8324ed0b4b81de39e56e4be6f33917c4f78c780722c0be792c
MD5 hash:
dfc36342dfde1d1e14261fc741126baa
SHA1 hash:
e17aa3644a045b0da35a1c8c94b2f9c65a9ffbf9
Link:
https://www.unpac.me/results/65f7ecbb-94d6-4f5e-a5c0-86d70a5e37a2/
SH256 hash:
aa8ea9312104712e372d739df721750a11198910517ce57d5d9615347b7f196c
MD5 hash:
262fc218a18f15e79e79383d7bded8a5
SHA1 hash:
a4e15d7b5cd7c37a187422b768c04d1eb49cb278
Link:
https://www.unpac.me/results/65f7ecbb-94d6-4f5e-a5c0-86d70a5e37a2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa8ea9312104/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/384992/

Comments