MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006
SHA3-384 hash: 69e96df56c6adadedbd4add566bfc9adb87729f73e7b12ce69b321fd40e7d7c782b195af082b59973ba6d09caaa68421
SHA1 hash: ffeaac781a54717992d0558dcc3a15d7207c9972
MD5 hash: a9ac84bf0fdf9397d3899a389e932d0d
humanhash: leopard-five-mockingbird-wyoming
File name:SHIPMENT-DETAILS_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:972'288 bytes
First seen:2024-08-13 13:52:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:klheZhn7irBIhoOxLtYBMQiNjb6BmUIQgqwOoEWtqX+:klheS2h7jYyRNa45vOLWv
TLSH T1652523A4D74A26AAE6287DB8C8D57EA18538E037A4CBF35974E60137010BFCB53364D7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SHIPMENT-DETAILS_pdf.exe
Verdict:
Malicious activity
Analysis date:
2024-08-13 13:56:31 UTC
Tags:
evasion stealer agenttesla ftp exfiltration
Link:
https://app.any.run/tasks/2f84a0a6-8ead-4de3-90fb-bbf5d2b5d5a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66bb6541aa5b40be0aa0288b
Tags:
Discovery Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/66bb653f55c081148cc91559/reports/b09672df-b7df-48c4-8a0e-8f2f1bd47f5c/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db19ef7d-ebd8-4a3c-8ae6-7142686d0e8c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1492205
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1492205 Sample: SHIPMENT-DETAILS_pdf.exe Startdate: 13/08/2024 Architecture: WINDOWS Score: 100 31 liceultehnologicrosiajiu.ro 2->31 33 ip-api.com 2->33 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 12 other signatures 2->59 7 SHIPMENT-DETAILS_pdf.exe 1 4 2->7         started        11 Erjvftzap.exe 2 2->11         started        13 Erjvftzap.exe 2 2->13         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roamingrjvftzap.exe, PE32 7->27 dropped 29 C:\Users\...rjvftzap.exe:Zone.Identifier, ASCII 7->29 dropped 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->61 63 Writes to foreign memory regions 7->63 65 Injects a PE file into a foreign processes 7->65 15 InstallUtil.exe 15 2 7->15         started        67 Antivirus detection for dropped file 11->67 69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 19 InstallUtil.exe 2 11->19         started        21 InstallUtil.exe 11->21         started        23 InstallUtil.exe 2 13->23         started        25 InstallUtil.exe 13->25         started        signatures6 process7 dnsIp8 35 ip-api.com 208.95.112.1, 49715, 49718, 49725 TUT-ASUS United States 15->35 37 liceultehnologicrosiajiu.ro 85.9.47.248, 21, 49716, 49719 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 15->37 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->39 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->43 45 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->45 47 Tries to steal Mail credentials (via file / registry access) 23->47 49 Tries to harvest and steal ftp login credentials 23->49 51 Tries to harvest and steal browser information (history, passwords, etc) 23->51 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-07 02:04:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vyzmypq2ncx4xeigfwqe7gowlxoj5u7675ojlsm7fpiuq6u3gada._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240813-q61ecaxcka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/385d601b-7b66-4d37-a324-d79da0320592
Unpacked files
SH256 hash:
894879fa56825b3d774a0222ee0fb5ed939b1a19c3f7cf24a1cd7b2b51c28bfc
MD5 hash:
8f4a4b527c7b93334ff92414aae5d9ee
SHA1 hash:
7cc181d8ad8ae36efeccb28ff82b319eb532ae86
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e26de7c8-b609-46af-8b04-8ad6f68b2bcb/
SH256 hash:
ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006
MD5 hash:
a9ac84bf0fdf9397d3899a389e932d0d
SHA1 hash:
ffeaac781a54717992d0558dcc3a15d7207c9972
Link:
https://www.unpac.me/results/e26de7c8-b609-46af-8b04-8ad6f68b2bcb/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae32cc3e1a68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ae32cc3e1a68afcb91062da04f99d65ddc9ed3feff5c95c99f2bd1487a9b3006

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments