MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac401ecae8d098f5c8e562212111aada6e40318d92ae74a21d426f4b43526c7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac401ecae8d098f5c8e562212111aada6e40318d92ae74a21d426f4b43526c7f
SHA3-384 hash: a95cbb23887085cf0bb3ab8456b7914124bfd8f243ff38ca3e956f3f1a6c459463918eaa1404229db56e6b9abc38b511
SHA1 hash: 65d0e4534b6bc4a5a47c98613deb8c89632a5e02
MD5 hash: b4f364201293f509e6bcd4c3ddc1029c
humanhash: july-cup-leopard-lima
File name:Request For Quotation for Supply of Promotional Items_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:823'296 bytes
First seen:2020-11-16 16:57:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:OemRz9NK3SYUnvhAMDiU7xc2oWz0WHLxTkqFdAA:Gz23SYUpfDiU79oWwSTPA
Threatray 1'243 similar samples on MalwareBazaar
TLSH A3054AA063688B9AF87E437E6431595363F2692FDB14DD0D3CB1EFDE282235103625A7
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538246
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac401ecae8d098f5c8e562212111aada6e40318d92ae74a21d426f4b43526c7f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-16 05:53:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrab5sxi2cmplshfmiqscenk3jxeammnskxhjiq5ijxuwq2snr7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a41900b78aa8ad61d42ee6cf76f4045093ea691d6a0e0ab6d535f6bb6ddb907
AgentTesla
13207816457e33a0430e6da6d1ab86d9797f9c2895a7491c142b5b8bfee3bb0d
AgentTesla
1a9a0333c8c544cdf43f51eaa895169513c27bdb818f42bb301d476ac1330672
AgentTesla
45cd8607c8221613edb11abb3954bceccd4fcb97f54a2b18d7eb544363e7db9b
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
87f83df5fdaabe9b71e77fe26640c185b8312cc5cbd34ebcc6dc047d72885299
AgentTesla
a39d375b4498174ca49f07d6bc5a152d34bbb3b7681b209125f2a1c7a8b01185
AgentTesla
a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641
AgentTesla
ba35ef227636d6968eeada03534fc58057ffc2514eb120dd4e3326c0a84dafd1
AgentTesla
c2c8dd06ab505a3989373e72a3f565054a63716424f559592859024d2bade1d7
AgentTesla
+ 1'233 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201116-jhba8ssz2j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ac401ecae8d098f5c8e562212111aada6e40318d92ae74a21d426f4b43526c7f
MD5 hash:
b4f364201293f509e6bcd4c3ddc1029c
SHA1 hash:
65d0e4534b6bc4a5a47c98613deb8c89632a5e02
Link:
https://www.unpac.me/results/c9e03444-2dcc-4cdb-9301-873fcf7731f3/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/c9e03444-2dcc-4cdb-9301-873fcf7731f3/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/c9e03444-2dcc-4cdb-9301-873fcf7731f3/
SH256 hash:
696c0fb4aa7f8860b2091c2621ac34203d2c28c80b3192992e00122183c86d2b
MD5 hash:
35807ce57aae9d205ac685aa8eaac855
SHA1 hash:
95f5c02a5292242a838db604910a747a623993b8
Link:
https://www.unpac.me/results/c9e03444-2dcc-4cdb-9301-873fcf7731f3/
SH256 hash:
0f8b8f44c7e23552c9d228cd748f9372cf41080d6707110566360be1b90e111b
MD5 hash:
5eceb92761cdd65b3dfea3c4b4cd91d6
SHA1 hash:
cc75993bf3ada29fe7114e90a04acf845d1fd7e8
Link:
https://www.unpac.me/results/c9e03444-2dcc-4cdb-9301-873fcf7731f3/
SH256 hash:
895428ae27efe38e55509d69edff5c088097089d906355e06b8571a35b8f5f1f
MD5 hash:
05ec4348a49db50bdebf3a91809a1fbd
SHA1 hash:
d643e761609308cbc0afda0f64c443745a7a3eaa
Link:
https://www.unpac.me/results/c9e03444-2dcc-4cdb-9301-873fcf7731f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac401ecae8d098f5c8e562212111aada6e40318d92ae74a21d426f4b43526c7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments