MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f
SHA3-384 hash: 0c5850edcda9d2460ef833fc5c592334ccc0055d2beec64f4173eb989af6cfe86e0c8fb992a8471f7d5370da9c14c709
SHA1 hash: ca5e665707a2c84fe598b9b1afacac091474df95
MD5 hash: 2ee09f0b0b1097a9df837183bc06ef38
humanhash: papa-high-lactose-lactose
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:735'232 bytes
First seen:2023-04-07 12:47:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:H2iNeqFROJt03tpEzYZXq/5uEN1GJ5q98g5ECZfQMOZyVgh2eV:H1jROC/qKJc5EClQMM
Threatray 57 similar samples on MalwareBazaar
TLSH T1A7F47DD42AD68BC0D037B130F059CBF2C3D6152AE099DBE1389B5989E1D2E451CFA9F9
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET AgentTesla exe MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-07 12:51:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c868a097-1e3f-40a2-8f38-ce89d4984ff2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380782/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/643011042254dc891204a626/reports/709f0493-e3a7-48bd-8881-655d3911fef2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3063795d-1d55-445c-ab73-c70d4b29ed4c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210202
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 843119 Sample: file.exe Startdate: 07/04/2023 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AgentTesla 2->41 43 .NET source code contains potential unpacker 2->43 45 Machine Learning detection for sample 2->45 6 file.exe 3 2->6         started        10 RMBJLaF.exe 2 2->10         started        12 RMBJLaF.exe 2 2->12         started        process3 file4 19 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 6->19 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->47 49 May check the online IP address of the machine 6->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->51 53 Injects a PE file into a foreign processes 6->53 14 file.exe 17 5 6->14         started        55 Multi AV Scanner detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 signatures5 process6 dnsIp7 25 api4.ipify.org 104.237.62.211, 443, 49706 WEBNXUS United States 14->25 27 server327.web-hosting.com 67.223.118.132, 25, 49707 VIMRO-AS15189US United States 14->27 29 api.ipify.org 14->29 21 C:\Users\user\AppData\Roaming\...\RMBJLaF.exe, PE32 14->21 dropped 23 C:\Users\user\...\RMBJLaF.exe:Zone.Identifier, ASCII 14->23 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Tries to harvest and steal browser information (history, passwords, etc) 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-07 09:18:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzspxebclwe7yr62j6lvsbzxohwcs6emm3mhtawg3lceipliuipq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d2d3cc50572a90b68558d070375be0474a2294f5cc1d4ac0249b19f21d12d8b
AgentTesla
24eff453781c287faa8e26134cd992f207f03d34b8d2f0e45dd94156ecf6e43e
AgentTesla
5d89fd91fbb0c2d4d75df1bde8c233dc0fe3e576966a5ab65b231ecc58935272
AgentTesla
62413ad16a42665b9396e1cce548b6e212c5cf21d3d2d8ae8c02ba83bd69fa0e
AgentTesla
851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3
AgentTesla
86427b8288b61c876a94f3d5226fb04f843ee245ad937dcdb4b974e81ec8b404
AgentTesla
8ec8019892b2f4625446c785c98dce87ac6362cbbdef61f57c4787ec35bbb262
AgentTesla
d26449a86fb463c573cd383b333c1d807165762718c9d4fd78c1cf15c70e1f98
AgentTesla
d84a5f234b44723f4c8204264b4506cc2f06474790f6469acc09012029f35854
AgentTesla
d9d968c6c6b73cf0cbeba16fa598259be05b5c0cd049b10a87b616b1c7ed500e
AgentTesla
+ 47 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230407-p1r1caba5w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
5ca35d6d032a34959e5580d241b7adcb7e70674f37a6677a90f3c2299f70b0e1
MD5 hash:
4ef34ba51f89f76f718293b5e2a77e18
SHA1 hash:
b6f8c75739be5a0b74e56c0b8da8600caa08f540
Link:
https://www.unpac.me/results/8f93b260-5427-4ceb-9738-33f10d49863f/
SH256 hash:
4499077fe4f2c56b509836c30fb2dfc9410d73b0767bbbf88696ca941df6a623
MD5 hash:
1990b2894ddc5c880fd0719698058001
SHA1 hash:
9fc799bbb24905e466ef2a115cd8c0a7a18e2382
Link:
https://www.unpac.me/results/8f93b260-5427-4ceb-9738-33f10d49863f/
SH256 hash:
6ed5754774ca845ea9082b30abb01d1db00078035c800d347212d21778ae5b72
MD5 hash:
656856ebecb29670e0e8fa56046e5eb4
SHA1 hash:
954b5a1bca5190305e1245b041dddcd487e28924
Link:
https://www.unpac.me/results/8f93b260-5427-4ceb-9738-33f10d49863f/
SH256 hash:
56aa9a20fe589757eabe9f5be8c6dede6b87ad569f786f1b59d2b8ee8d3df3d8
MD5 hash:
e7cfb07dfe571694aa7cd5c01d884a53
SHA1 hash:
76897ee68a5d56313356e77bcfa284aa63a8c6c1
Link:
https://www.unpac.me/results/8f93b260-5427-4ceb-9738-33f10d49863f/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/8f93b260-5427-4ceb-9738-33f10d49863f/
SH256 hash:
ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f
MD5 hash:
2ee09f0b0b1097a9df837183bc06ef38
SHA1 hash:
ca5e665707a2c84fe598b9b1afacac091474df95
Link:
https://www.unpac.me/results/8f93b260-5427-4ceb-9738-33f10d49863f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae64fb90225d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2598337/
Cape
Cape
https://www.capesandbox.com/analysis/380782/

Comments