MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d
SHA3-384 hash:	3244d85747c899f18131bb91f66a286120cb1404eb766fb79500f70ca176228244818575fc698ca83b8db99e0682111c
SHA1 hash:	3604683683a8154183c99e9f487cef4206cb9d6e
MD5 hash:	6cc632d499306080e48f43f8f44b75e5
humanhash:	nineteen-harry-autumn-eighteen
File name:	Inquiry_4802BD_TX.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	702'984 bytes
First seen:	2024-03-11 17:31:09 UTC
Last seen:	2024-03-11 19:24:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:cGX3inVFaVLC1TpeDdfYAJzgA0E45l7LCGcGncHHxm8ZbpMdITVRdeOVSct58Yuk:J32Him16dABfLrNFIJZGaTjdDVD6YuY7
TLSH	T135E4232DA70C1171D3CA9BF474B48862CB35B542E427E5C9B875A1A5ACC0ED00FA6B9F
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	69e8e8e8e8e8e869 (5 x Formbook, 5 x AgentTesla)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d.exe

Verdict:

Malicious activity

Analysis date:

2024-03-11 17:44:07 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/85bc4473-71b9-4d90-a4f9-35ae73e87d3a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/478631/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2738.14914.27828.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/65ef4024869de776ad024d51/reports/754aac22-542a-40d3-9115-9a4e780089fe/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/96ad0fc3-3c06-41cc-ac62-a8a260d3d6ba

Result

Threat name:

AgentTesla, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1406933

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2024-03-11 17:32:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vnpots24aierz3eyk7qs4kwiktvg3qlbrj5ephvew7v4cityykoq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240311-v4a4wsbe59/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

06a1ae787e808d6287de314be8bec64ef2e0d3bc1bf2ea71ae268c7b8fb19e2d

MD5 hash:

91b39e533d48f5fa25ac604da90b3d8d

SHA1 hash:

f5dadf1e8fcbe64609e4cd78a27e2810f7a6e69e

Link:

https://www.unpac.me/results/d0fa56fd-a308-420b-b1ba-7a122ffea474/

SH256 hash:

c8c1020fe926cc1851b73c1915ad32e2fc393dccb402782aca8f4ea6379ba84d

MD5 hash:

ef7cf89d9ec52b18a8f5b6ee49820f46

SHA1 hash:

dcf9cb9bb3f72ca4b3cc0c00b27bd9ce10b554bb

Link:

https://www.unpac.me/results/d0fa56fd-a308-420b-b1ba-7a122ffea474/

SH256 hash:

c10c9b0882bac6f788f48b4dabe3291b14e639e650f2b9fcb0bc174ac92ae02b

MD5 hash:

7c7fb6daa78beb69128991ff893143ed

SHA1 hash:

c01bb99984b12b84129db80eae1d5d8341a358e2

Link:

https://www.unpac.me/results/d0fa56fd-a308-420b-b1ba-7a122ffea474/

SH256 hash:

1f2e82b9f0ca06a9d0184c645b7d78cc522f9813caa1f10a511caab239baa58e

MD5 hash:

d4296b7b70b373f69970c191381a3b91

SHA1 hash:

83a2b0beb0c96bd852abddc7c742c3871e3aa814

Link:

https://www.unpac.me/results/d0fa56fd-a308-420b-b1ba-7a122ffea474/

SH256 hash:

84bf811bb0d86dbbc7f5efba235746ad56824cfffa883e66789cbe4adec1a30a

MD5 hash:

63f746ae9aa15916796ee778166c06e8

SHA1 hash:

3238508f4b929520a538f5cd1796ddd881a21a83

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/d0fa56fd-a308-420b-b1ba-7a122ffea474/

Parent samples :

fb7a7bbd833d84684aec3f4825edc1ea37ccd4cfcaadc0e2756a42cc07a5714a
f230dd21df49ad4ab75c02bab7e245e6727eaa88d56fe148699831a995749592
cbebcef944dc8b96250fa57c98bef408a1f3f053f303871f89f8f3035b4b3e7a
cde4e54eecb8d93a3bf01b328a33b998ef032becee8b0e375225cbce85c4a548
394633bc848d312c2e79e48b1b10eadbce297624c6b844d4f643d93b1fb33c35
a4d1c2193d3db847e5c7132074a16826beff3d069e1ba83633b8ac7bc5c88f5e
bd010d6ec97048a7017725d3c45eef92c619abfff8ac0d8557d4325c23c662e2
88844a7569de556d31dfdd8cd8f9ec7cc2e8547148c24bcf841e728d61fb9ef1
13d1eb3cb74f8edec26f2fff6a691a9c98ae8e87777802ce1f0c67fbe3c7159f
c2d0cc385181b9e1685ce28e76d5bd1865843e67eb97796a6529bfaa34774816
ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d
e251e91c26b24c6bafb419121155f89ea9bd320b5f9f143eb2f38151d18dacd6
0a9f394309023d929f72a3b781f47bd79d64c6d1cf485849f952a307678b5590
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80
b1930e02b9dd0ed9f33b15cb20b6212c54854d5bf5045696c73572ecec373395
9e40251e52536336aee3deb9b764441efff559f90a83987c3f51db874bdee361
d36c75eeda6238e518fffee0f4b12fc0fc2e1d56d478e07b64e71814b0f4e1bb
84bf811bb0d86dbbc7f5efba235746ad56824cfffa883e66789cbe4adec1a30a
c492361ce6fdd5550bcadc9d804b30f971ceeadcd8fc549bb1bcdc9cd1f82870
9f0940b08d229480a45cd4f9d104ab5da0829dddcd968581aee5fad92b91fa80
179e544a547fd06c8af3d0aa5160448c1acf22e0d0343832097788d916051570
03dff69ef246481d70ab1a83fe3273348d165a1bab36c664dce64fa0bd5236af
f95c4cfa4575ecce08ce137d4fa5ede9fd4356814c770120dfea81d1e3ed157f
ca0e44de77ca87bdd8f7e6d9e1b778d45bbfd729a2d343c7c48cadfced235b3a
6f3edb7e9cefd209427147f4162e5dd3c87f48d12c6b4efb15c5a878ca049380
b9da0460b53615326f9123d43025e966fcb844495ede3794631f9dccabda8a6d
576f4658c5c58273967350871dfd6d60e64d54d772c812f8507de67d4784f6ff
d71c77fa0c464289f6b7fb379d7fcbf0cdd6cc8d7bacf6c989a5f0eb5c215bab
10f0f9ee32494b68132fb2b33c3b6ff4c34c98b6b11e215b1f4de0570f37af5e
e6d7aea44d50f1a31e13ca848fd9dcc8eb65a2377e409f786dcb50756c82fcc0
7945ab65ff11a8dfe0222746cb2a8dd6feab5428106b0900aee2d695254fbf50
b70065cfa09b2db420f89631e95a49daf021760dda72d34b5d57c232ac4fb48d
0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
03207279845f2d90be8cd6b3b525c4a236838c52def79c0afffbdf7216a03b7c
ebe2099ee35888eaaff59d9fbcf780687a6c9cf9c87511aae8ce959c7e1fc193
ba22a1fd5ccbbc56dd6c30c556637865c156a5e332e6a718c336b9d591b86a9c
cbe1d843259a92581d16088969b0ed1758866626b4ae37e7445abe6bf099f155
ffc6b173f9b255702bdcbe65dd606f6154865c7fea2b2488305ba8f0d9ccef58
f69515024de365946c3a58ce3315898196dcca5a2d5a9ba3f5b257818df4055a
08e931e2b4a954a57c72df289fbe2e4971a912e453b71f19d1859f1a350f9fba
077dc59cc8a2b17c1c2f17f0620368fe3b252c881cdb600aee54662d2699351c
31280f11bf64367779cdf2d9e04b62fd7ad53c28fd44bdf70e7793583793aca3
b96554898f3c80d013795e72b387087d02368d444f6a0fc645edfe3958fdc98d

SH256 hash:

ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d

MD5 hash:

6cc632d499306080e48f43f8f44b75e5

SHA1 hash:

3604683683a8154183c99e9f487cef4206cb9d6e

Detections:

INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438

Link:

https://www.unpac.me/results/d0fa56fd-a308-420b-b1ba-7a122ffea474/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ab5ee9cb5c02/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab5ee9cb5c02091cec9857e12e2ac854ea6dc1618a7a479ea4b7ebc12278c29d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/478631/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample