MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd
SHA3-384 hash: 1cd8e29bdd9e4cdb1f92be257da2bac02f0b801b2d4f10422c42edc83b159c90dae66bd86a40fa6b508a98bca5d6b3f5
SHA1 hash: af6d0c3f08adfe8be72017f2315f45854f334e23
MD5 hash: 79bcd6ed9081b8388cc2f8e26afd798d
humanhash: monkey-green-blossom-lactose
File name:INCOMING COLLECTION D-A ADVICE.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:769'536 bytes
First seen:2023-08-30 13:33:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:8chcgOS5B/bTClakx98lyMe8iN4ShYkcbiHYKJ84eaakUHw9U9cJUhRcOJ5c:8c3OQB/ClVP8lyMe8iN4ShYkcbiHP+4e
Threatray 5'543 similar samples on MalwareBazaar
TLSH T11FF4E11836B85F26E6B9C3F58534955807F97A9A253FE38C8DD234EF1A60F820D11B27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
INCOMING COLLECTION D-A ADVICE.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-08-30 13:37:07 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/17ff4a79-a391-4e7b-9b82-04364afc8612

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445314/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin masquerade packed
Link:
https://www.filescan.io/uploads/64ef454e9ff753467d7fd545/reports/1ccf1e95-5782-4ada-a027-a25347127694/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2917a6d-1f45-4d13-a58c-89ad0eb98e10
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300402
Signature
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 08:24:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
14 of 38 (36.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vru3jb4hgavpuu3edweouocmnl7scnus2t757gldcrfodxmmis6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22f66a34d2354f08b0e4924f3d619d6fa0922adda2827f7e6f588f5855e4258e
AgentTesla
3807b05845559f4ea717756c87357b8cfd9b9909a4d3f738f35ddc2bed88c35e
AgentTesla
527667bc0981c49c8b4240170196700630a848bc7f3890ec6733df750d201d9b
AgentTesla
534bc98179bd7a6f7c7491fdee34ff06ae1d90f7bf1db29586d39a5ae971eea5
AgentTesla
5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
AgentTesla
65991091fbb81c3961dd91240296ae03aec2a94ef682dd194134e8cfdf69f8a4
AgentTesla
a99950332da46a51e1aaba6204df22a2c94926d9ac2691ac63cdb3cc6f9f3098
AgentTesla
c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54
AgentTesla
d2475c14cd534bca8b3a7a584900668545ed04d7f04c55c0958e05deaec4a7fc
AgentTesla
ffa8e6e00d583ef5154e0e33f28d775858e9d71fd8e45247cec4e60e723f8f9f
AgentTesla
+ 5'533 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230830-qt4k8sfe98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/ff072dc6-153a-46a2-a34d-3190cfe685b0/
SH256 hash:
66ed5839c9410455cb49c78e1f311a853be26d9cf2a6d3f4453af2f56c7a1cb0
MD5 hash:
e31461f4afdb5bd394d4a4f249a65aaf
SHA1 hash:
613a6b5ce2e8be9a2d1a408665e8cf58aaf7a1cb
Link:
https://www.unpac.me/results/ff072dc6-153a-46a2-a34d-3190cfe685b0/
SH256 hash:
92ada27bd1d8e976e85588d78e43d64e883669d99b5e6e871203dd3e928515b9
MD5 hash:
c7f2b8a7caf9a8178c9bfe2e24aba1a2
SHA1 hash:
548889de6a48824f6e6aa6ac73fa3cc5e1988aa3
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ff072dc6-153a-46a2-a34d-3190cfe685b0/
Parent samples :
c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54
ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd
SH256 hash:
66ff7906cfff48d5f7a292013f19a49b8f69c37b77c0de0338904f0c04be8b36
MD5 hash:
c0680fd8ba1f99da57846ebebeebdb5d
SHA1 hash:
353e9f27be8262032376feb0d3e7ac31c2379939
Link:
https://www.unpac.me/results/ff072dc6-153a-46a2-a34d-3190cfe685b0/
SH256 hash:
ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd
MD5 hash:
79bcd6ed9081b8388cc2f8e26afd798d
SHA1 hash:
af6d0c3f08adfe8be72017f2315f45854f334e23
Link:
https://www.unpac.me/results/ff072dc6-153a-46a2-a34d-3190cfe685b0/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac69b4878730/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445314/

Comments