MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad82fec6eaaebbe12eee2f4b6cb4e8d6e0659c9fdf0a365b0d4225ccbe14f224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad82fec6eaaebbe12eee2f4b6cb4e8d6e0659c9fdf0a365b0d4225ccbe14f224
SHA3-384 hash: fdfb903c524e0ac5c385b45078bea4bb27fba84cbbf29c6dca57c28ceebd570ee7dedf40d64d14927062ac90e33d3537
SHA1 hash: 1ad1f3925caf9b3e43bfa6c2fdba1a9ac1bf3c28
MD5 hash: 04ecb65ad3407b89abab206a1b921e5c
humanhash: arkansas-fanta-emma-ten
File name:04ecb65ad3407b89abab206a1b921e5c
Download: download sample
Signature AgentTesla
Create hunting rule
File size:628'224 bytes
First seen:2021-09-17 19:45:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:VjYxaM8KuQWLQh0wPf0FZ3JTB6lvoZ6pr7r4hY0mNy:NjQWDywNJTIdp1EyZ
Threatray 9'972 similar samples on MalwareBazaar
TLSH T130D4BF30179570D4E3727AB08BB3E042F5996D32AF9D92D93843F64DC2B3642E973A25
dhash icon d4c498f8f8b8ccd4 (6 x AgentTesla, 5 x SnakeKeylogger, 3 x Formbook)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188840/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1031-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e4c0b22-7bbe-467a-9a59-d50a20247b58
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853006
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485433 Sample: ExW9Dekao3 Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 Yara detected AntiVM3 2->45 47 3 other signatures 2->47 6 ExW9Dekao3.exe 3 2->6         started        10 AFSsp.exe 3 2->10         started        12 AFSsp.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...xW9Dekao3.exe.log, ASCII 6->25 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->51 53 Injects a PE file into a foreign processes 6->53 14 ExW9Dekao3.exe 2 9 6->14         started        19 ExW9Dekao3.exe 6->19         started        55 Multi AV Scanner detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 21 AFSsp.exe 2 10->21         started        23 AFSsp.exe 2 12->23         started        signatures5 process6 dnsIp7 31 nl-s1.dedicatedpanel.net 217.195.152.2, 49760, 49761, 587 SHOCK-1US Netherlands 14->31 27 C:\Users\user\AppData\Roaming\...\AFSsp.exe, PE32 14->27 dropped 29 C:\Users\user\...\AFSsp.exe:Zone.Identifier, ASCII 14->29 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Moves itself to temp directory 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 3 other signatures 14->39 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad82fec6eaaebbe12eee2f4b6cb4e8d6e0659c9fdf0a365b0d4225ccbe14f224/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 19:40:39 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwbp5rxkv256clxof5fwznhi23qglhe734fdmwyniis4zpqu6isa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4babd6fa58cd93ab9f6c80717a8dc1330443f437bce73e4f9299ff1d30b431dc
AgentTesla
562d247c94d3afd41fb2dbe409605ff22354acde3361f9518ef260179c2076cd
AgentTesla
5cdc13420f4812754d41158ca2015d69c2d7c903f1b00f90db14705eee8f8cc8
AgentTesla
6c9b3cb473eafac739743f9f3c8be5bf671eeee602781a05c64fe7ff9b6e93fa
AgentTesla
6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408
AgentTesla
acc4f3dec5d471c28db29b9e7877fa419d157ebaa44b51039fbae33d6e33ca02
AgentTesla
cadf8b35e70d4c8b4fdadf65f6cbfddce7ad4e0319ceff8bd68101db962f9395
AgentTesla
e4649c6b74b9494074c6020ba5e73d1253ed1929146135f4e9dbc48da6ace470
AgentTesla
fb8578f6cf84e5a7a96bca2f608f4ac2af7bed143262fd0cd0b35ecb5b2984d0
AgentTesla
+ 9'962 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210917-ygy4zsgdd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1c53ab9d6086cd0ac70904dc0bef4bc76ec537a4b2e67e529090bf8126089fa1
MD5 hash:
114c1ad7e2b88f3044be6650b2854b30
SHA1 hash:
bbe6498c66e8542d85ce876e2bfe07c942f16247
Link:
https://www.unpac.me/results/156265ab-14ae-4172-96fe-1f2cc09092ce/
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/156265ab-14ae-4172-96fe-1f2cc09092ce/
SH256 hash:
d45e227db3f23e35f29e354b3c1e97b4fe5c9e296efbd13b7f039c083b10a29b
MD5 hash:
96ac9380d4d272b3793b2a486962eddd
SHA1 hash:
8ac8b2bf9d6c283093f609cf49036111a2ae7285
Link:
https://www.unpac.me/results/156265ab-14ae-4172-96fe-1f2cc09092ce/
SH256 hash:
ad82fec6eaaebbe12eee2f4b6cb4e8d6e0659c9fdf0a365b0d4225ccbe14f224
MD5 hash:
04ecb65ad3407b89abab206a1b921e5c
SHA1 hash:
1ad1f3925caf9b3e43bfa6c2fdba1a9ac1bf3c28
Link:
https://www.unpac.me/results/156265ab-14ae-4172-96fe-1f2cc09092ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad82fec6eaaebbe12eee2f4b6cb4e8d6e0659c9fdf0a365b0d4225ccbe14f224

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ad82fec6eaaebbe12eee2f4b6cb4e8d6e0659c9fdf0a365b0d4225ccbe14f224

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1628338/
Cape
Cape
https://www.capesandbox.com/analysis/188840/

Comments


Avatar
zbet commented on 2021-09-17 19:45:20 UTC

url : hxxps://iglesiatransversal.com/Tcx5xxXPl9GOucJ.exe