MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae9787d7a622c488ba5aa51022c5f7cfd6055082f2f0c7b887c1234e73f61ef0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae9787d7a622c488ba5aa51022c5f7cfd6055082f2f0c7b887c1234e73f61ef0
SHA3-384 hash: a45f595a4745f0f387aaa03f86e5ef749cfb3a9bfb733d1b3ed6c3b27ff8ef2e90bdfe488ce2126457bebf37a6d286da
SHA1 hash: b80c18d7e57503c0f7019eac3148e446c1952b67
MD5 hash: 9c66f681dd4f45e909bb6cec6fa8e20f
humanhash: october-mike-london-equal
File name:9c66f681dd4f45e909bb6cec6fa8e20f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'984 bytes
First seen:2023-07-12 01:26:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:cJ4aMp7tL+N2UnzjpqQi4EGS8oZnC65mlJ9sIUdbCIOf5Ut99:tp5sxqQi4Et55g76ndWFCtb
Threatray 4'759 similar samples on MalwareBazaar
TLSH T1FCF4011A71BF9B17C9B9B3FE0548054833FC5A1C6664F7185C8B90FA997AF000990EEB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
96908698ef1a19e7b6c4cc2f52637d3b
Verdict:
Malicious activity
Analysis date:
2023-07-10 16:52:08 UTC
Tags:
exploit cve-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/a17fc55a-0ff6-46ec-9cfe-ae1bc2d4e87e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416176/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68102321.22298.10772.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64ae0166a15fc7eb4fd0f761/reports/ebdad338-9f7c-478a-998c-1e4c4c88eff3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ae9787d7a622c488ba5aa51022c5f7cfd6055082f2f0c7b887c1234e73f61ef0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/782eefaa-eddf-43d3-a133-5d0ae979294b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271327
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271327 Sample: 6vQ1A7ZEID.exe Startdate: 12/07/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 5 other signatures 2->55 6 6vQ1A7ZEID.exe 3 2->6         started        10 svchost.exe.exe 3 2->10         started        12 svchost.exe.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\6vQ1A7ZEID.exe.log, ASCII 6->23 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->57 59 May check the online IP address of the machine 6->59 61 Injects a PE file into a foreign processes 6->61 14 6vQ1A7ZEID.exe 17 5 6->14         started        63 Multi AV Scanner detection for dropped file 10->63 65 Machine Learning detection for dropped file 10->65 19 svchost.exe.exe 14 2 10->19         started        21 svchost.exe.exe 2 12->21         started        signatures5 process6 dnsIp7 29 api4.ipify.org 173.231.16.76, 443, 49698, 49700 WEBNXUS United States 14->29 31 api.telegram.org 149.154.167.220, 443, 49699, 49701 TELEGRAMRU United Kingdom 14->31 37 2 other IPs or domains 14->37 25 C:\Users\user\AppData\...\svchost.exe.exe, PE32 14->25 dropped 27 C:\Users\...\svchost.exe.exe:Zone.Identifier, ASCII 14->27 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file / registry access) 14->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 33 api.ipify.org 19->33 35 api.ipify.org 21->35 45 Tries to harvest and steal browser information (history, passwords, etc) 21->45 47 Installs a global keyboard hook 21->47 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae9787d7a622c488ba5aa51022c5f7cfd6055082f2f0c7b887c1234e73f61ef0/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 10:52:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2lypv5gelciros2uuicfrpxz7lakuec6lympoehyeru447wd3ya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
100ed81d558e71b8bbf8d3cdd3c2e2c390367e9d470a52a931c07aabdc70ed50
AgentTesla
40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949
AgentTesla
52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f
AgentTesla
8150ceb72ebe958ee0424f42b26eb134281f42e7188a9f08ccc5025ac70bae24
AgentTesla
aed00c25c329f6b88aa005feac5d2b1b73e8b46303984d194aaef41c84e2ed51
AgentTesla
b5294830d0c872aff02498de88a9d56f8523571951b2394ea27d57763265ef9d
AgentTesla
bd46a723d17048369ac18ff1a2ec0d0f54a8a4a3c5e23d56a53e014a02d1c42e
AgentTesla
ccc2705cc016a910af89b39b5beeca2885eedd714cca5ab153b416c201d0ea96
AgentTesla
ea9f2431a64fc69fa9fdc839c8526744ede33f35a8e0a7b703fa2e03382c49d2
AgentTesla
+ 4'749 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230712-bt3xdabe26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6250389540:AAF1KME0gXOqQ6YWKB4YQVexdl5p80Fk0cc/
Unpacked files
SH256 hash:
fad67e8b0b02d7cc9476f63b5a29ebba72ef831d0cf7e1987913cb4bdd837886
MD5 hash:
fe2d945c12d10a0cb7ccd0d591200d1b
SHA1 hash:
c30f12579cc72e22a60653714ce832b1146d65b8
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a79c83aa-9ff3-409f-9b5c-cbd16961528e/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/a79c83aa-9ff3-409f-9b5c-cbd16961528e/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/a79c83aa-9ff3-409f-9b5c-cbd16961528e/
SH256 hash:
3c9b01e94445a883dcf684a1149cc777d0c230a697aca6f84f37d7f680099a24
MD5 hash:
f29c9bb20eabe793f445d0d69c52471e
SHA1 hash:
13750e9255326a4fe3a93c6332cfd07888d6e1b9
Link:
https://www.unpac.me/results/a79c83aa-9ff3-409f-9b5c-cbd16961528e/
SH256 hash:
ae9787d7a622c488ba5aa51022c5f7cfd6055082f2f0c7b887c1234e73f61ef0
MD5 hash:
9c66f681dd4f45e909bb6cec6fa8e20f
SHA1 hash:
b80c18d7e57503c0f7019eac3148e446c1952b67
Link:
https://www.unpac.me/results/a79c83aa-9ff3-409f-9b5c-cbd16961528e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae9787d7a622/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ae9787d7a622c488ba5aa51022c5f7cfd6055082f2f0c7b887c1234e73f61ef0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2680957/
Cape
Cape
https://www.capesandbox.com/analysis/416176/

Comments


Avatar
zbet commented on 2023-07-12 01:26:57 UTC

url : hxxp://87.121.221.212/templezx.exe