MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae16b2518b997f291f0e51ac7efecf013db94ca7549f8bd87102431bec8a9b69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae16b2518b997f291f0e51ac7efecf013db94ca7549f8bd87102431bec8a9b69
SHA3-384 hash: 365082db8f8fb19085080ce64f488611de2b8a3faf7944c16f45adceac343f00c4866f6cd20672a968265e28fc72db80
SHA1 hash: 92071fd63c33a5e55148831906fabc13ee133efc
MD5 hash: 50805661ffbe62fe481a84afe255ceb2
humanhash: carbon-ohio-winter-salami
File name:SHIPPING DOCUMENT PI#PI19-20117.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:861'902 bytes
First seen:2022-10-30 10:17:46 UTC
Last seen:2022-10-30 12:18:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:8a1/T+SLBbjjDuv5cu1XHZXO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHt:8a1KqBL41XHtZlT+lQTD/O3BArRCHt
Threatray 282 similar samples on MalwareBazaar
TLSH T15605F03A28735005FFFDC135BEE27381826879BE9CC80F96DA54BACA35B71C58670462
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 66c29abaaaaaaa86 (20 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SHIPPING DOCUMENT PI#PI19-20117.exe
Verdict:
Malicious activity
Analysis date:
2022-10-30 10:18:57 UTC
Tags:
autoit agenttesla
Link:
https://app.any.run/tasks/d7b8289e-bb0f-4997-9d9d-66d86495ffb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326088/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.45827.19153.24703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46782/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll strictor
Link:
https://www.filescan.io/uploads/635e4f5cce1f43143c2a0b79/reports/9cc228fa-525a-498f-bf54-a43bf7f1c1b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e1f2600-1615-402b-95f7-163c6401e579
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101211
Signature
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 733872 Sample: SHIPPING DOCUMENT PI#PI19-2... Startdate: 30/10/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected AgentTesla 2->44 46 4 other signatures 2->46 7 SHIPPING DOCUMENT PI#PI19-20117.exe 19 2->7         started        10 stmyqktvkopo.exe 2->10         started        process3 file4 22 C:\Users\user\AppData\Local\...\pgxpzkj.exe, PE32 7->22 dropped 12 pgxpzkj.exe 1 2 7->12         started        process5 file6 24 C:\Users\user\AppData\...\stmyqktvkopo.exe, PE32 12->24 dropped 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->48 50 May check the online IP address of the machine 12->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->52 54 3 other signatures 12->54 16 pgxpzkj.exe 17 4 12->16         started        20 pgxpzkj.exe 12->20         started        signatures7 process8 dnsIp9 26 mail.alaminattires.com 16->26 28 alaminattires.com 185.218.126.81, 49699, 587 QUICKPACKETUS Germany 16->28 30 2 other IPs or domains 16->30 32 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->32 34 Tries to steal Mail credentials (via file / registry access) 16->34 36 Creates multiple autostart registry keys 16->36 38 2 other signatures 16->38 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae16b2518b997f291f0e51ac7efecf013db94ca7549f8bd87102431bec8a9b69/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 11:07:24 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vylleumltf7sshyokgwh57wpae63stfhkspyxwdrajbrx3ektnuq._file
Verdict:
malicious
Similar samples:
16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6
AgentTesla
26a21ee2a1eb48e763a15cfad8db92148168438b6d74decccc3439a29a4cb951
AgentTesla
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
AgentTesla
67dfdca1a2d42035d8ef9bde053531051793e2f13e30b8f1fe0a81fdd52e99fb
AgentTesla
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571
AgentTesla
8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a
AgentTesla
8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5
AgentTesla
e2523f043a47f04db956092e5aa8b55fb8d69105bbc3df185fed9048392df0d2
AgentTesla
+ 272 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221030-mbyeqafgar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
e022e9b5353e84e14a45a86995825b26ce537b3e5f089c524fb1bd1bf47e305f
MD5 hash:
4decc3b6708743ffc8436a69c8900c89
SHA1 hash:
f0c32b40fa894c478d06b4068a342dcc52e0c5e9
Link:
https://www.unpac.me/results/5652ef4b-1dcb-4779-9a61-471b3ab13323/
SH256 hash:
6796e519fe43bfae81490aa400b853f74364b49f3496439670d17b44c17f6c52
MD5 hash:
2cd6b46bebcad19e3ab40e5241b7ca0f
SHA1 hash:
c112b4f6f5cd8fe6548af611f950c822448d0398
Link:
https://www.unpac.me/results/5652ef4b-1dcb-4779-9a61-471b3ab13323/
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/5652ef4b-1dcb-4779-9a61-471b3ab13323/
SH256 hash:
ae16b2518b997f291f0e51ac7efecf013db94ca7549f8bd87102431bec8a9b69
MD5 hash:
50805661ffbe62fe481a84afe255ceb2
SHA1 hash:
92071fd63c33a5e55148831906fabc13ee133efc
Link:
https://www.unpac.me/results/5652ef4b-1dcb-4779-9a61-471b3ab13323/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae16b2518b99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/ae16b2518b997f291f0e51ac7efecf013db94ca7549f8bd87102431bec8a9b69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ae16b2518b997f291f0e51ac7efecf013db94ca7549f8bd87102431bec8a9b69

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/326088/

Comments