MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa9680b982b96bce1ab425e2b7f18ea951a832a2c18bba1f6880381a7610bf68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa9680b982b96bce1ab425e2b7f18ea951a832a2c18bba1f6880381a7610bf68
SHA3-384 hash: 8cc2ea1c39e3ba08225a1c28055cf5efd1bdda45658836f4a7b5a7283ebc30a06dbc9214e396ff9499608377f6fde860
SHA1 hash: e1d6bd5e3da2969e5424716bd9acb1c9bfe5bb68
MD5 hash: 61fb9f5b2fe2261dc2143ef1c88a52bd
humanhash: nine-arizona-massachusetts-lithium
File name:detail lengkap transaksi.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'101'824 bytes
First seen:2023-02-06 04:08:38 UTC
Last seen:2023-02-06 05:31:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:iA3QrxN5IC54TWMj+uIemAAk0EyYEMjdYYuA9H:18tgiq+bemA/rEMjdxuAV
Threatray 27'211 similar samples on MalwareBazaar
TLSH T19D358ED1F150C89AEC6B09F1BD2AA53024E77E9D64A4810C569DBB1B76F3342209FE1F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter jomphatt
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
detail lengkap transaksi.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 04:09:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8b56c7d-15a4-422f-b75a-7d2cc83396df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360542/
Detection(s):
SecuriteInfo.com.Variant.Strictor.275740.30929.12786.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed strictor
Link:
https://www.filescan.io/uploads/63e07d60528134caf043a53c/reports/e1d488cc-7343-47cc-99dc-22b3a88bded8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aa9680b982b96bce1ab425e2b7f18ea951a832a2c18bba1f6880381a7610bf68
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4c84ebc-b3bd-4bc2-96fa-0b2d4337a5c4
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166234
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799005 Sample: detail lengkap transaksi.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected zgRAT 2->51 53 6 other signatures 2->53 6 QcDUkJh.exe 3 2->6         started        9 detail lengkap transaksi.exe 3 2->9         started        12 QcDUkJh.exe 2 2->12         started        process3 file4 55 Multi AV Scanner detection for dropped file 6->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->57 59 May check the online IP address of the machine 6->59 63 2 other signatures 6->63 14 QcDUkJh.exe 14 2 6->14         started        31 C:\Users\...\detail lengkap transaksi.exe.log, ASCII 9->31 dropped 61 Injects a PE file into a foreign processes 9->61 18 detail lengkap transaksi.exe 17 5 9->18         started        21 detail lengkap transaksi.exe 9->21         started        23 detail lengkap transaksi.exe 9->23         started        25 QcDUkJh.exe 2 12->25         started        signatures5 process6 dnsIp7 33 192.168.2.1 unknown unknown 14->33 35 api.ipify.org 14->35 37 api4.ipify.org 104.237.62.211, 443, 49698, 49700 WEBNXUS United States 18->37 39 mail.procorpadvisory.com 101.100.204.56, 49699, 49701, 49703 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 18->39 41 api.ipify.org 18->41 27 C:\Users\user\AppData\Roaming\...\QcDUkJh.exe, PE32 18->27 dropped 29 C:\Users\user\...\QcDUkJh.exe:Zone.Identifier, ASCII 18->29 dropped 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->65 67 Tries to steal Mail credentials (via file / registry access) 18->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->69 43 64.185.227.155, 443, 49702 WEBNXUS United States 25->43 45 api.ipify.org 25->45 71 Tries to harvest and steal browser information (history, passwords, etc) 25->71 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa9680b982b96bce1ab425e2b7f18ea951a832a2c18bba1f6880381a7610bf68/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 00:41:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vklibomcxfv44gvuexrlp4movfi2qmvcygf3uh3iqa4bu5qqx5ua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01b0e10d7351007133aa2a5f1cef379b855706256fb70f327990ea142df772ad
AgentTesla
15e30fb7205f72a8ad7dc0842655fcc1a43fec4c919a5e28cfd61fbb5124f879
AgentTesla
41857a1bfb1cda7337d39a4c6bcec253fb44532179f9cb12e919608f227e3dcb
AgentTesla
5d2e8a87688e3f312d3df9f4fab26b5646e9837704f816f2271e7d28e4f3d412
AgentTesla
7fc0957ebbd39c15f25edb094b1e2d25ff356efcbb3f4a2bd4daf9dd8c63307c
AgentTesla
e87092e93a1a144894d2221cc206afad0989a352a3eb4e9460dedc51af542597
AgentTesla
f14871b3c4416a897aa8526ec0d5cf04f2b5fec3d2f11f46d76f7705295b45e5
AgentTesla
f76fef3e72be648d3a32fb43e48276ef6f04cc0f5a21b89d58983c3232775adc
AgentTesla
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
AgentTesla
+ 27'201 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230206-eqr79aca57/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/ccbe9ec3-3224-4224-a272-ee4a11642d75/
SH256 hash:
dc63087844cc1e7b5c3ee58ce617da4b19e493c902f90f7c2e74584466a802a3
MD5 hash:
6318695511cc411f37854318b5c3fb21
SHA1 hash:
a86c2af1caf1906e2a56b2a6749c403d515cb06b
Link:
https://www.unpac.me/results/ccbe9ec3-3224-4224-a272-ee4a11642d75/
SH256 hash:
364b707ca8ef0545d0d2cb53be013f536c4b92dab44225c77ffd119a8aa1339b
MD5 hash:
f8e20af5b658125e0e75197b51ae640c
SHA1 hash:
5dfdd20ccc183af70289c4117ef76984cd38f3fc
Link:
https://www.unpac.me/results/ccbe9ec3-3224-4224-a272-ee4a11642d75/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/ccbe9ec3-3224-4224-a272-ee4a11642d75/
SH256 hash:
f5f7352b83a3280410953768bade39c94d475c0cd4fa67e92e58f53e7b48f49d
MD5 hash:
98e2933d521c77a0056294d381286fc2
SHA1 hash:
0a99495ac400dfd9023171071fdad33d14089f50
Link:
https://www.unpac.me/results/ccbe9ec3-3224-4224-a272-ee4a11642d75/
SH256 hash:
aa9680b982b96bce1ab425e2b7f18ea951a832a2c18bba1f6880381a7610bf68
MD5 hash:
61fb9f5b2fe2261dc2143ef1c88a52bd
SHA1 hash:
e1d6bd5e3da2969e5424716bd9acb1c9bfe5bb68
Link:
https://www.unpac.me/results/ccbe9ec3-3224-4224-a272-ee4a11642d75/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa9680b982b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/aa9680b982b96bce1ab425e2b7f18ea951a832a2c18bba1f6880381a7610bf68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe aa9680b982b96bce1ab425e2b7f18ea951a832a2c18bba1f6880381a7610bf68

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/360542/

Comments