MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac88b6d34837d3e7018799ef9833415459bd9150bbf38ef51b9bb20cc3c847ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac88b6d34837d3e7018799ef9833415459bd9150bbf38ef51b9bb20cc3c847ae
SHA3-384 hash: d38fe3a551c2dae3a9d345891b152763bfbce32941197e09aa6ac474f5fd0f76c30cce5b91ee05885e8153b5c8def6ef
SHA1 hash: 70fa0ec870b67ec7b23bdf5a6f3431e0c02995cc
MD5 hash: 7c70b8379c6dc386ead6106375e17f33
humanhash: artist-foxtrot-black-tennis
File name:New PO_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:400'459 bytes
First seen:2021-08-18 06:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b1520ba8a8e7d12cecb5bd04c747ffc (2 x AZORult, 1 x Formbook, 1 x SnakeKeylogger)
ssdeep 6144:PXmnzU02JneN/3TqrurY8eRL/07KbykBVI6RaQyJclQeLbrFtcwI9hvz1fzfsYDq:vfNsN/3TqrurYOgy4GGUSQCg9fsYDvi
Threatray 8'539 similar samples on MalwareBazaar
TLSH T1BC84E011B685D036E5B3083246F6927A593C7B721B5F8EEF17C89AB84F341C26930B67
dhash icon c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New PO_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-18 06:31:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9664d656-6b2c-4de5-aac5-8e56c8bd9ef1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180209/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7036d79e-439f-4ac9-87b0-bbdafd31562e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834898
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac88b6d34837d3e7018799ef9833415459bd9150bbf38ef51b9bb20cc3c847ae/
Threat name:
Win32.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 02:59:55 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vselnu2ig7j6oamhthxzqm2bkrm33ekqxpzy55i3tozazq6ii6xa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
AgentTesla
542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def
AgentTesla
9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80
AgentTesla
bb9f48fe7b24ee1d6bdb487bcecba20ebf6d5b36371726d889b997c0b34a6dbd
AgentTesla
c26273df586c447ec9f449497926c19638899f5b5a22ca956fc318e617e89cf6
AgentTesla
cb8a7d1d9c86d996899769e9abac0b326053dae7f9d8fc226aabfa89f3f8d16e
AgentTesla
da1f1c571091e69d504819a85f0a8e1cd35e45f4a1d863320b51f0ff39817073
AgentTesla
ecd1fe2b5e0b6ce3b21a567913fdbde90f7f21a30955de30101bad4e35b7f75f
AgentTesla
fca23df949c7e10b76b320bdd3b2d3179855ecde575abad628caf4aeb647d3f7
AgentTesla
+ 8'529 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210818-zbb6ggtw8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b5cb472e5553e80930c998f94285634676bcef9f2c64fb4b1cb11a99bef3cc5a
MD5 hash:
b935575659b4eb1ffc9a378aad0b6418
SHA1 hash:
0d51e2923977ba395ba11453a93d32c78f1b83bd
Link:
https://www.unpac.me/results/0e293c08-3bd5-4180-9b86-c9365eab2207/
SH256 hash:
ac88b6d34837d3e7018799ef9833415459bd9150bbf38ef51b9bb20cc3c847ae
MD5 hash:
7c70b8379c6dc386ead6106375e17f33
SHA1 hash:
70fa0ec870b67ec7b23bdf5a6f3431e0c02995cc
Link:
https://www.unpac.me/results/0e293c08-3bd5-4180-9b86-c9365eab2207/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac88b6d34837d3e7018799ef9833415459bd9150bbf38ef51b9bb20cc3c847ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ac88b6d34837d3e7018799ef9833415459bd9150bbf38ef51b9bb20cc3c847ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180209/

Comments