MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856
SHA3-384 hash: d2371f8d02dd0393941786f5b158ff9b027bf30830447cc2ed8fe2dd65b5fc72822b5ac13ca24c8ba15219bdf334f26d
SHA1 hash: e0c4404c2507cf058a2b675a4a8799a68c8f9abd
MD5 hash: e6394d71525a3d1285f0ba6cfed896d6
humanhash: delaware-mike-pennsylvania-uncle
File name:PRE-ALERT SKLZ2112352 SHANGHAI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:727'552 bytes
First seen:2023-05-31 05:56:10 UTC
Last seen:2023-05-31 06:34:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:wIAMTihh6xhZ6OrpcRucr7X/tmj2x9Jw0pDaOdaDGkRXeZcRXb15qgM:sMUgh8y+pr7Xlmj2dJB7YxfL15ql
Threatray 1'977 similar samples on MalwareBazaar
TLSH T159F41215EBBF1A17C0627D7D5A70517856FCC940902FE2AFE98B28BFC804A75ACE3161
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 5169ccd4b2968e96 (11 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
249
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRE-ALERT SKLZ2112352 SHANGHAI.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 05:59:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0866166-1886-4972-85a2-477fdc7497f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393811/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12885.29807.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6476e1b057eb9901cee4b04e/reports/92a42a32-b8f2-4094-8a7f-e5b7ee98b134/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e5ab3338-f9dd-42f6-be0f-8214bdc81070
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245774
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878784 Sample: PRE-ALERT_SKLZ2112352_SHANG... Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 6 other signatures 2->64 7 PRE-ALERT_SKLZ2112352_SHANGHAI.exe 7 2->7         started        11 chkttKUnqH.exe 5 2->11         started        13 My App.exe 2->13         started        15 My App.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\...\chkttKUnqH.exe, PE32 7->44 dropped 46 C:\Users\...\chkttKUnqH.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpE2A5.tmp, XML 7->48 dropped 50 C:\...\PRE-ALERT_SKLZ2112352_SHANGHAI.exe.log, CSV 7->50 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 7->78 80 Adds a directory exclusion to Windows Defender 7->80 17 RegSvcs.exe 17 4 7->17         started        22 RegSvcs.exe 7->22         started        24 powershell.exe 21 7->24         started        26 schtasks.exe 1 7->26         started        82 Antivirus detection for dropped file 11->82 84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 28 schtasks.exe 1 11->28         started        30 RegSvcs.exe 2 11->30         started        32 conhost.exe 13->32         started        34 conhost.exe 15->34         started        signatures5 process6 dnsIp7 52 api4.ipify.org 104.237.62.211, 443, 49700 WEBNXUS United States 17->52 54 smtp.gmail.com 172.217.218.109, 49701, 587 GOOGLEUS United States 17->54 56 api.ipify.org 17->56 42 C:\Users\user\AppData\Roaming\...\My App.exe, PE32 17->42 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->66 68 Tries to steal Mail credentials (via file / registry access) 17->68 70 Tries to harvest and steal browser information (history, passwords, etc) 17->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->74 76 May check the online IP address of the machine 22->76 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-31 01:22:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 36 (63.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlo77mqoeyesvbnkkzutmrb52xfi44fi6hsuky2v3amifw6hxbla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
107f5059b55ddfab8351c5369f43325f2d051aa41f5bbfe94a48ce577626a726
AgentTesla
290900426b7f0450c34ffe8152e39484e70c6bd90e59958524074c70e3b19290
AgentTesla
3b3d92018cb4be5a3223c8b556bb8a1c817e0cbc2188b6500cbc2d4dd6d13658
AgentTesla
6118fb1f75058c3bd77040399fad44126181a9b131396a4f1ab7e6622c826dda
AgentTesla
6f75073132ca19d3880c0ac27a6d885d6f18f7c1b2650da13aeb84e5061acbb1
AgentTesla
a2568c55311566d7907ad76b9b833d696ca45eb06b06e581a1e673d4442c613e
AgentTesla
e28f5580f49499fbe090745eb426fce6b027c44a07f9319dd239826aad4f6d8b
AgentTesla
e4f3aa1d60e49f6b486a6fb5f5c5cf70299b12b6eb30556ce30c69c29d818c01
AgentTesla
f2168fe0192cc2c215eb36164e3f646177934df2681703551ac90ab73875f37d
AgentTesla
fb36ca37495933a6fdd5da7db3dc63e1eba950c54a2626e7fbcf520118a0b09e
AgentTesla
+ 1'967 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230531-gnlc2adf2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/371125fb-edd3-4695-bb5f-1e601ca9b7fe/
SH256 hash:
b845298489a78c7d66ba9e106de1606e64f9104b2fedc756ebe22275dbee8634
MD5 hash:
9e4440f3a14a5099078ddb26d3fef08d
SHA1 hash:
80c47af8fa3ccfabbb1ec79e7f7b03c19b337dbf
Link:
https://www.unpac.me/results/371125fb-edd3-4695-bb5f-1e601ca9b7fe/
SH256 hash:
ab866ef8a6802c76990935bec2ae6b32357f831ac192282d551bd37e49eb4cd2
MD5 hash:
6ffc390ad03eb30f2c626d4da953fd8e
SHA1 hash:
4180cc051c780ef177792ea9946d7853ed44a60c
Link:
https://www.unpac.me/results/371125fb-edd3-4695-bb5f-1e601ca9b7fe/
SH256 hash:
7eabe808b11e30c6451dfe89b0562ebbdb98f2d4cfff70bc5a7ea84499d3bdee
MD5 hash:
b8ba9f55f02c95b07ec0ae58c9e49fac
SHA1 hash:
37a19363337fb8b70c5ec95e12caff17f9000ec3
Link:
https://www.unpac.me/results/371125fb-edd3-4695-bb5f-1e601ca9b7fe/
SH256 hash:
aebb70a755b75970282ea0236fa987ab113d674cec0bed29327bbb81d5b8406b
MD5 hash:
657c93fc925772bfb3397ba78d2b3e85
SHA1 hash:
23122d649028aa8e47e0e24c5886a83b9d6a70d6
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/371125fb-edd3-4695-bb5f-1e601ca9b7fe/
Parent samples :
fb36ca37495933a6fdd5da7db3dc63e1eba950c54a2626e7fbcf520118a0b09e
e28f5580f49499fbe090745eb426fce6b027c44a07f9319dd239826aad4f6d8b
aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856
651e74ff3f9ebb5fa625881c5d8356be5c807aeee5d3987e8f279f60e0dfe1db
337d449fb4debc0bd9f6862e065d8876d53f0a7d10c72cf56c9c5905daf45e9f
789b09cd036a9193816db2e3eb2422a90fb23342ae6b6440d1ea4bd8efc9aca1
d616aefbc324763685be6e923e5d94e3272647f95187080e7e1c8fcf28173b72
SH256 hash:
aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856
MD5 hash:
e6394d71525a3d1285f0ba6cfed896d6
SHA1 hash:
e0c4404c2507cf058a2b675a4a8799a68c8f9abd
Link:
https://www.unpac.me/results/371125fb-edd3-4695-bb5f-1e601ca9b7fe/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aaddffb20e26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe aaddffb20e26092a85aa566936443dd5ca8e70a8f1e5456355d81882dbc7b856

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393811/

Comments