MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae1244a9c96ef3f60189c2d3e33a421c23191ace72a2b4924d63d2e46a09f395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae1244a9c96ef3f60189c2d3e33a421c23191ace72a2b4924d63d2e46a09f395
SHA3-384 hash: 68f9dd71a3ed1378cf26a72490d6a120c196d35a288c4d461e087647c26d46af1fdabc3c3ead7609a51cb2211fb4dcb8
SHA1 hash: 8c768215e6312ec74a605a5831062153d0396df7
MD5 hash: 4c39cd0e88d79fcf93d346e04aa36ad2
humanhash: whiskey-california-blue-butter
File name:TT Swift Copy.pdf...exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'119'744 bytes
First seen:2021-03-29 04:25:06 UTC
Last seen:2021-03-29 04:34:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:h0gUISafnX6z/Z9zHXE+ahtqx1Co+tAsw1q:2gUXrT7E+ar7o+X5
Threatray 4'164 similar samples on MalwareBazaar
TLSH 2B359DD8B540B5DDCC1A8B728979CC309612BDFA5237C50E50DB3DAB7A7E69B8D100A3
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT Swift Copy.pdf...exe
Verdict:
Malicious activity
Analysis date:
2021-03-29 04:27:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aeae6485-70ac-4881-964a-47c90352e732

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127435/
Detection(s):
SecuriteInfo.com.Trojan.Hosts.48400.13987.5380.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3b9050d-bdb6-4e6b-b233-240f858fa7fc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656386
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae1244a9c96ef3f60189c2d3e33a421c23191ace72a2b4924d63d2e46a09f395/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 15:48:47 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vyjejkojn3z7mamjylj6goscdqrrsgwookrljesnmpjoi2qj6okq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f581ed2051c4a3b6f4d7d6e63c3a90ccf07f3d2054b0ec88c05826102749680
AgentTesla
30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713
AgentTesla
3f9ce3d45471beb2915bef5313cc463a859f86e218609951dc0a5af57406350b
AgentTesla
66376232e1661b6b29da25ec440d8913932606bcf6a8cc54d83b0fc126e68d11
AgentTesla
6a60a4591be2d9e721c3280d36b7594c93799bd695b45091b8db96b0b50d3b56
AgentTesla
7cf016920f62f4cd984f9fdc9c9976b07888c891b52a8c6c95c47cc3628bde21
AgentTesla
97b36b4f803f8f011f8768c84f4b08ffe178f4d40c5bdf3f3b796aa71c183dd0
AgentTesla
cf603db11efb3551d503bed1a7b619bffb02896eb80db37a81b262c02be2c6eb
AgentTesla
d3764440a44cf58d60e0d29cc9e9e4ce920092d71c13457c7cbab5415202cceb
AgentTesla
ed5622f5b9aa0b81163361fed772d9164d670dd0a0adf0ac8ea2de616b694187
AgentTesla
+ 4'154 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210329-cbdrkyvdcx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
367bd3bbd27bcfb4020ea2e8e19bcef7e7613677514df74990980bb5cbd2faa4
MD5 hash:
ce249eac42648acbd1fdb4dcac4b93b2
SHA1 hash:
ece85af062c4dba9a4b56b53b6f926fd974d7f90
Link:
https://www.unpac.me/results/cacd46db-5edf-4c7a-89ac-e8f5243528b3/
SH256 hash:
a380482df3aca2aa5d258efa48bb8615191077f34119e214d36f37e35665a178
MD5 hash:
175498f61984ff91a89300205e48ae9a
SHA1 hash:
da71cb8fe8be871fab2abf3b195a243906961bf0
Link:
https://www.unpac.me/results/cacd46db-5edf-4c7a-89ac-e8f5243528b3/
SH256 hash:
f8eaafea47839ec25df17e7a7b2d99ddb003b958b27b228617f355d8d4c716a7
MD5 hash:
011224e4783944f794c4b0b3879f29aa
SHA1 hash:
c211d19a658ec167487a8ab4dfd598d80ebe4250
Link:
https://www.unpac.me/results/cacd46db-5edf-4c7a-89ac-e8f5243528b3/
SH256 hash:
ae1244a9c96ef3f60189c2d3e33a421c23191ace72a2b4924d63d2e46a09f395
MD5 hash:
4c39cd0e88d79fcf93d346e04aa36ad2
SHA1 hash:
8c768215e6312ec74a605a5831062153d0396df7
Link:
https://www.unpac.me/results/cacd46db-5edf-4c7a-89ac-e8f5243528b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae1244a9c96ef3f60189c2d3e33a421c23191ace72a2b4924d63d2e46a09f395

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:dridex_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 21653598ac22c20f0feb208086815ec218a77eb0b1b5c0a688b0693debbe87a9

AgentTesla

Executable exe ae1244a9c96ef3f60189c2d3e33a421c23191ace72a2b4924d63d2e46a09f395

(this sample)

  
Dropped by
MD5 89627cf0bc7affdf7190a7b6f2197787
  
Dropped by
SHA256 21653598ac22c20f0feb208086815ec218a77eb0b1b5c0a688b0693debbe87a9
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127435/

Comments