MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac4eccf76de23fc434d72a6a34afb5c049df30a8d4b617b7a81fc871669765be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac4eccf76de23fc434d72a6a34afb5c049df30a8d4b617b7a81fc871669765be
SHA3-384 hash: b11f5f27b494360197108adcf3dd0c6dcf2c68fcda79612342820da7d693dc2c0cb9367fd12f270451a1f9bc101186c3
SHA1 hash: b41fc3c9523d8428a66710eb213b9183cbdee730
MD5 hash: 383df47021ef6ecfa8dcef53de323123
humanhash: pasta-fourteen-social-ceiling
File name:FİYAT TEKLİFİ TALEP RFQ_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:781'312 bytes
First seen:2022-01-06 17:01:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:h8iohSFe13igcuqOTFH4eqv5u5vQND0w86TDEqX/cCDVNLYpOrrpNY+HbXQXASg:h8igSC3igcOTFH4eOu5gD0wJ9vcCDVN9
Threatray 13'682 similar samples on MalwareBazaar
TLSH T11EF4C01117E49629E0EF577DE0A4805883F4F625A98BE71E6E84B0FC1C73761CD623AB
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FİYAT TEKLİFİ TALEP RFQ_PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-01-06 17:05:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ccb1f8a-3ff3-444c-b632-24f27cbe7e2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217578/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61d7209002e388f9fdb06600/reports/f868b92c-2a1b-45d8-905a-786bb6872a13/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/163eb115-bcb6-4357-965e-de203380f69d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916402
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548880 Sample: F#U0130YAT TEKL#U0130F#U013... Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 11 other signatures 2->80 7 F#U0130YAT TEKL#U0130F#U0130 TALEP RFQ_PDF.exe 7 2->7         started        11 RmxqUKg.exe 2->11         started        13 RmxqUKg.exe 2->13         started        process3 file4 54 C:\Users\user\AppData\Roaming\AZFNSOsW.exe, PE32 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpEC00.tmp, XML 7->56 dropped 58 F#U0130YAT TEKL#U0...LEP RFQ_PDF.exe.log, ASCII 7->58 dropped 82 Adds a directory exclusion to Windows Defender 7->82 15 F#U0130YAT TEKL#U0130F#U0130 TALEP RFQ_PDF.exe 7->15         started        20 powershell.exe 25 7->20         started        22 powershell.exe 24 7->22         started        24 schtasks.exe 7->24         started        84 Multi AV Scanner detection for dropped file 11->84 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->88 26 powershell.exe 11->26         started        28 schtasks.exe 11->28         started        34 2 other processes 11->34 30 powershell.exe 13->30         started        32 powershell.exe 13->32         started        signatures5 process6 dnsIp7 60 etites.com.tr 137.74.23.112, 49811, 587 OVHFR France 15->60 62 192.168.2.1 unknown unknown 15->62 64 mail.etites.com.tr 15->64 50 C:\Users\user\AppData\Roaming\...\RmxqUKg.exe, PE32 15->50 dropped 52 C:\Users\user\...\RmxqUKg.exe:Zone.Identifier, ASCII 15->52 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->66 68 Tries to steal Mail credentials (via file / registry access) 15->68 70 Tries to harvest and steal ftp login credentials 15->70 72 2 other signatures 15->72 36 conhost.exe 20->36         started        38 conhost.exe 20->38         started        40 conhost.exe 22->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac4eccf76de23fc434d72a6a34afb5c049df30a8d4b617b7a81fc871669765be/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 07:06:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
14 of 43 (32.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrhmz53n4i74ingxfjvdjl5vybe56mfi2s3bpn5id7ehczuxmw7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3a361c768a1ebfd17d5b44a2d4915301c9f06640720f0644fd9809b48b12c4c3
AgentTesla
57b2a44351febaa40160b21423b5f084f15802290e82910cd3d94331eb3e3791
AgentTesla
99ed8a3d3d579ffcbca302f6c584fb044b260495a92d85bc1af66bd295bc402d
AgentTesla
dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84
AgentTesla
e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d
AgentTesla
e7d489df6c41d065986388f6673e9b179acf89d87acf58ca8a015d778a6c8dff
AgentTesla
ef0a4d74505ed6671e8a1de8c1c3d91d87aa06a0fa63467b3bbdbb241eb9c1e0
AgentTesla
f4bb5c1806e72df06936c0b9b1fefe3cfe5cf68604bdaa36ffbc61a2860aa6b9
AgentTesla
f7e04a704089ed7e79b3642e223363084ed1b482cf417295b64e71ab087edc61
AgentTesla
+ 13'672 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220106-vj6easbdf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
589c4c279dc737693e0bbbdafed22b9bdc2c010db7b2fb2714c7514bcf3d3bc0
MD5 hash:
3195742d3b7dd5194a866456404fd2d7
SHA1 hash:
a09940477bdc0461e69bbfe321865a7695b22af9
Link:
https://www.unpac.me/results/e6cc34c8-7470-4031-b7cd-f33fbf074501/
SH256 hash:
604d25d40ac23880e64999fb7d3e5ee835cb2631fcb8eef6f7cde72b45b3f278
MD5 hash:
1d368c8ac8bf5d4d0d5169b264ed50c7
SHA1 hash:
96e9090392f6bb43f94b7ed48e0c5443140ca22a
Link:
https://www.unpac.me/results/e6cc34c8-7470-4031-b7cd-f33fbf074501/
SH256 hash:
c88a5a9f1d1f452a735fd128d1b8781315236c21aef60dd3ca6d749e3863d4a0
MD5 hash:
cb5498afeb3287bcc08a84bff8c5e36b
SHA1 hash:
365b9cbdd07197b0d70b6e7b8fe8d7cc74b66be4
Link:
https://www.unpac.me/results/e6cc34c8-7470-4031-b7cd-f33fbf074501/
SH256 hash:
ac4eccf76de23fc434d72a6a34afb5c049df30a8d4b617b7a81fc871669765be
MD5 hash:
383df47021ef6ecfa8dcef53de323123
SHA1 hash:
b41fc3c9523d8428a66710eb213b9183cbdee730
Link:
https://www.unpac.me/results/e6cc34c8-7470-4031-b7cd-f33fbf074501/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ac4eccf76de2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac4eccf76de23fc434d72a6a34afb5c049df30a8d4b617b7a81fc871669765be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ac4eccf76de23fc434d72a6a34afb5c049df30a8d4b617b7a81fc871669765be

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217578/

Comments