MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8
SHA3-384 hash: 251c5690769f286cda978d0a2a98878560a67ebcdd9e49f79c2e149035f1edf10b59a2bf7c7c30310f90fcc8df140ac9
SHA1 hash: a05d0dc2d2d59f01b5478fb0c93bd9454e1dcd95
MD5 hash: 89c52df7d4bf97d0f9913dc89f6527b2
humanhash: undress-princess-kansas-black
File name:SecuriteInfo.com.Trojan.Win32.Save.a.22440.30224
Download: download sample
Signature AgentTesla
Create hunting rule
File size:218'624 bytes
First seen:2021-05-25 13:01:03 UTC
Last seen:2021-05-25 14:04:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:ewyUpr7SoKWyLqB7Xi0p55LJQEQoTyFB:eNUxR3yLo2WZJQEmB
Threatray 5'252 similar samples on MalwareBazaar
TLSH C824F139A7617711DCE649FFDDD7C1B00AA7B99BA5129D174084F3EA10A2FAC8FD0442
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161925/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.22440.30224.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791586
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 11:49:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwnoanlpv2huuq76yfnm526qmdzix653veh56l3hbb7y2vpn7pea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967
AgentTesla
1b122d90ecb306cc9067c1ec1623a19aadc0005cb1d31f49120a902d4f26d5df
AgentTesla
1c4cbe5a3adfa0a596eabff32c6a43fe2f5fc2be1dcf71bddbd0c1200d7451a8
AgentTesla
989f330817cadbe60308cdd0977792aa3ee8fd2f55b2e92ed32d2416de16c32d
AgentTesla
a8dba39ad00064bad947851725eb20e863581975d75d02e5e74ba6773918c7b1
AgentTesla
b5aeb6d277320df561d9bb77a95e976c5527c17441292ec7b5bafc441fe746d0
AgentTesla
b96e5b8548a31fc43385a31b1c23a9ad95440309ccc6baa10dced1833e118d5e
AgentTesla
bf411b461237ce0b5f1cf021af00bf94c0f31a8aac095c9d36581c5095fcc2a7
AgentTesla
d65fa2504374d19e221d6631799f41426450d650355098be07f7cfa667d80bf9
AgentTesla
ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b
AgentTesla
+ 5'242 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210525-lyxqj3byn6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1282140/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/161925/

Comments