MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aed18cdef3de7bb5192dec939a7b6e8989ce8a6dd1da25ae640f8f2586b29eae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aed18cdef3de7bb5192dec939a7b6e8989ce8a6dd1da25ae640f8f2586b29eae
SHA3-384 hash: edc53f13dfa5124b3b0c5532fbf7923f8f2e02560b09d7d8982488b369a570ee25d4d3a93850a929e95b9622475c7aaf
SHA1 hash: 2bd1d2db39bd1e2861b9c43b1ac87acf3c232395
MD5 hash: 1c753b0df42d39cb6c5b714d7f46ecd0
humanhash: solar-fourteen-cardinal-sierra
File name:SWIFTMT10300000.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'609'728 bytes
First seen:2023-01-05 07:10:57 UTC
Last seen:2023-01-05 08:36:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:l7ybZIKdM9ZvRpLJ4eQgZrMEz6yEcQFExj6L+lMBebbJ:l+bZsZBJ9IExj6L+lMBebb
Threatray 20'737 similar samples on MalwareBazaar
TLSH T15A7594ACF524369FC06BCA318E58DC24EBA068BF570B961380A755DCAB5D4A3DF140F6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla bat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFTMT10300000.bat
Verdict:
Malicious activity
Analysis date:
2023-01-05 07:14:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ddfc007-9236-4514-a3f0-c1c9a29bbe7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349559/
Detection(s):
SecuriteInfo.com.Variant.Lazy.282126.25056.26725.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b6780a0fdf1633326d53b4/reports/95d82a9a-08c4-41e7-9d2c-f0504f187d85/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a105124-151a-450a-ab18-d6b7193f171e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145481
Signature
.NET source code contains very large strings
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778213 Sample: SWIFTMT10300000.bat.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected AgentTesla 2->32 34 Yara detected AntiVM3 2->34 36 3 other signatures 2->36 6 SWIFTMT10300000.bat.exe 3 2->6         started        10 fzVlWoK.exe 3 2->10         started        12 fzVlWoK.exe 2 2->12         started        process3 file4 24 C:\Users\user\...\SWIFTMT10300000.bat.exe.log, ASCII 6->24 dropped 38 Detected unpacking (changes PE section rights) 6->38 40 Detected unpacking (overwrites its own PE header) 6->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->42 14 SWIFTMT10300000.bat.exe 2 5 6->14         started        44 Multi AV Scanner detection for dropped file 10->44 46 Machine Learning detection for dropped file 10->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->48 18 fzVlWoK.exe 2 10->18         started        20 fzVlWoK.exe 10->20         started        50 Injects a PE file into a foreign processes 12->50 22 fzVlWoK.exe 2 12->22         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\...\fzVlWoK.exe, PE32 14->26 dropped 28 C:\Users\user\...\fzVlWoK.exe:Zone.Identifier, ASCII 14->28 dropped 52 Tries to steal Mail credentials (via file / registry access) 14->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->54 56 Installs a global keyboard hook 14->56 58 Tries to harvest and steal browser information (history, passwords, etc) 22->58 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aed18cdef3de7bb5192dec939a7b6e8989ce8a6dd1da25ae640f8f2586b29eae/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2023-01-04 17:04:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3iyzxxt3z53kgjn5sjzu63orge45ctn2hncllteb6hslbvst2xa._file
Verdict:
malicious
Similar samples:
15008ec3816e2a10d985e9763ac5d64bbc70ddaee7dc0db5686dca17a466045d
AgentTesla
28b8b2a27c23003085e868930effb3f53adb96a1665e3248ac8b21be405aa7dc
AgentTesla
572e6066888624b7fa82b7bc17bbe0dc05440b4031cc71fc38f4d67a0571799e
AgentTesla
b6efd81dbe299d7f5bb1c741982a60524299d6592ab78fd83aefa79a8971af1d
AgentTesla
c048c4d51140f504ff055b79d88102cef846a42fd65018354e97d549ef8e6891
AgentTesla
c754f76eefb0ac8ba7da335bbdc3e50ce786a331f41056215367418fca46c1a5
AgentTesla
d4ac13d49e5ee5673ea8e80faafeac2ba94fad27ac44fc7a5ac819e1e0b70d0b
AgentTesla
f8b91c3419d4afe1cd3cdb4deffa3baa3f0e8dd92f41784d99497106075267d8
AgentTesla
+ 20'727 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230105-hzyceaef7v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/42067cae-d9f2-44d2-9294-d196f01973ad
Unpacked files
SH256 hash:
fb0e44e90c1e82dfed3a1af7b7da8a6209bb750703dbc27c02d6a012d6d69a45
MD5 hash:
4da6d61a74ca2827e60a48a330a638c3
SHA1 hash:
e32628cf31bb95be6f643ad888e425897fd4cacd
Link:
https://www.unpac.me/results/9a67cdd9-f706-4b95-9a8d-5ec2cae8e072/
SH256 hash:
b630f0314d1ef7e2ada51479bf2a2acf00e8bed918d46e7dbf25466a6e5faae3
MD5 hash:
2a245189240d2ed4a5a401e9cfc8aaf8
SHA1 hash:
97b879f151d43efa466ea1db0e7fcfa9d1af52ee
Link:
https://www.unpac.me/results/9a67cdd9-f706-4b95-9a8d-5ec2cae8e072/
SH256 hash:
9db2396f63360bba3ea4531efd6e99ced895097c8efd7dc14b80ed381eb3f6a3
MD5 hash:
08c0698520fb3779b527d4c2941cb1da
SHA1 hash:
03918349cb9117a92db11604bc71f198cf3d4775
Link:
https://www.unpac.me/results/9a67cdd9-f706-4b95-9a8d-5ec2cae8e072/
SH256 hash:
aed18cdef3de7bb5192dec939a7b6e8989ce8a6dd1da25ae640f8f2586b29eae
MD5 hash:
1c753b0df42d39cb6c5b714d7f46ecd0
SHA1 hash:
2bd1d2db39bd1e2861b9c43b1ac87acf3c232395
Link:
https://www.unpac.me/results/9a67cdd9-f706-4b95-9a8d-5ec2cae8e072/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aed18cdef3de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aed18cdef3de7bb5192dec939a7b6e8989ce8a6dd1da25ae640f8f2586b29eae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe aed18cdef3de7bb5192dec939a7b6e8989ce8a6dd1da25ae640f8f2586b29eae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/349559/

Comments