MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f
SHA3-384 hash: 806a92b3960c522bae7665013ebeb096687d122110ee0468de8c367e1fd654f2597fd8f6483ab76fb8336da46df7904c
SHA1 hash: e06f0189895dbeff97eb8971ed01bf300dc59f36
MD5 hash: e3795bba166583491254ede202293b06
humanhash: zulu-ohio-oranges-table
File name:AWD1-2001028L PI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:538'112 bytes
First seen:2020-10-07 05:07:27 UTC
Last seen:2020-10-07 06:24:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:DxtS+Ad4yKwjYjOtmZYjlm+qhj350Ni3d1SvtZWhp/:D/S+Ad4sEMmZYjlEFd1SvtO
Threatray 355 similar samples on MalwareBazaar
TLSH 18B43A163749EAB1F1AE097444C6C1F10311FDAD598352AABFC2FE2F79B7505002EEA6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: npsel.com
Sending IP: 103.99.1.146
From: Mona Fan/SEL TAO <fanll@npsel.com>
Subject: Re: AW: AW: Invoice and Shipping Documents
Attachment: AWD1-2001028L PI.zip (contains "AWD1-2001028L PI.exe")

AgentTesla SMTP exfil server:
mail.framafilms.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68787/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483682
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294305 Sample: AWD1-2001028L PI.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 5 other signatures 2->47 6 AWD1-2001028L PI.exe 4 2->6         started        9 kprUEGC.exe 4 2->9         started        12 kprUEGC.exe 2->12         started        process3 file4 49 Injects a PE file into a foreign processes 6->49 14 AWD1-2001028L PI.exe 2 5 6->14         started        23 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->23 dropped 51 Antivirus detection for dropped file 9->51 53 Multi AV Scanner detection for dropped file 9->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->55 57 2 other signatures 9->57 19 kprUEGC.exe 2 9->19         started        21 cmd.exe 9->21         started        signatures5 process6 dnsIp7 31 mail.framafilms.com 194.209.228.166, 49743, 587 SWISSCOMSwisscomSwitzerlandLtdCH Switzerland 14->31 25 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->25 dropped 27 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 39 3 other signatures 14->39 29 C:\Windows\System32\drivers\etc\hosts, ASCII 19->29 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 01:25:41 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3e27l4vv5f6to6ktyfwyomktfhw43zogq6bdx3egba6757snbhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15814d40339c1e572590b74683dec0fdf2e55e7f565be6e806adfa2e59c4a915
AgentTesla
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
AgentTesla
21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2
AgentTesla
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
AgentTesla
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
AgentTesla
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
AgentTesla
727e1f0aabc7d8fb68f756541bd8797dd810c2b3ab684ae6e53732e461425f20
AgentTesla
75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
+ 345 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/201007-687z9f4fn2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f
MD5 hash:
e3795bba166583491254ede202293b06
SHA1 hash:
e06f0189895dbeff97eb8971ed01bf300dc59f36
Link:
https://www.unpac.me/results/c52a5ef8-0c71-4e81-83d7-b502f1946058/
SH256 hash:
cca64cea1a4d7a0043d1a6ef67aab537ee26e3794a27ad514b07ba842c04302a
MD5 hash:
7d182f3da5418c6af80a4a14948e9fc6
SHA1 hash:
f1a9057296bcd76fc0d6e8efeb074cf885ec5d88
Link:
https://www.unpac.me/results/c52a5ef8-0c71-4e81-83d7-b502f1946058/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 291d38c1be0bffabc23e262443a649416a832b9136130c0e43154a388231e414

AgentTesla

Executable exe aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f

(this sample)

  
Dropped by
MD5 ac0045b38e20d750ff7db2de3c8e4ff2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68787/
  
Dropped by
SHA256 291d38c1be0bffabc23e262443a649416a832b9136130c0e43154a388231e414

Comments