MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aeea171571e3b606d0ef657b0c23b5cd5d48137f028eb39c4a4bbfe9fada48ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aeea171571e3b606d0ef657b0c23b5cd5d48137f028eb39c4a4bbfe9fada48ec
SHA3-384 hash: 3ce0de4db18f46f0ee84fbf4c6ab6c9f0351f511b64af0666a6668e862a05f63c91e587cca263d1a82f29ae94dcb782e
SHA1 hash: d84040a55d1a18a47c7e81a344018d0ec1bf641a
MD5 hash: b77d6ebcd4b557010d8fcbcf78e6e5b7
humanhash: indigo-lamp-ten-stairway
File name:Fatura Ödeme kopyası_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:534'016 bytes
First seen:2023-04-14 06:01:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:y3NPN8bNSHpJ+rZ2A+HsA4cB9qqEKt6ESpa3LPCLuijOx:gNL+rYZx4c/gKsPpELKL7O
Threatray 2'065 similar samples on MalwareBazaar
TLSH T1A3B4125937550E2BD5B892F51A6A811003F3686B6A71E3CEECC214FFA5D5B801E33E93
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
AgentTesla FTP exfil server:
royal-arois.com:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fatura Ödeme kopyası_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-14 06:02:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f60b5a68-85fd-4d8c-8888-41653075f0dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382141/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed remcos
Link:
https://www.filescan.io/uploads/6438ec5db4ec50bace602144/reports/ac00612f-8cb6-4f52-a7d3-df99efec9a3f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/aeea171571e3b606d0ef657b0c23b5cd5d48137f028eb39c4a4bbfe9fada48ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d92138e9-84dc-4850-92d9-1e59fce8aee4
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213655
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 846582 Sample: Fatura_#U00d6deme_kopyas#U0... Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 6 other signatures 2->47 6 Fatura_#U00d6deme_kopyas#U0131_pdf.exe 3 2->6         started        10 TYpjaL.exe 3 2->10         started        12 TYpjaL.exe 2 2->12         started        process3 file4 23 Fatura_#U00d6deme_...s#U0131_pdf.exe.log, ASCII 6->23 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->49 14 Fatura_#U00d6deme_kopyas#U0131_pdf.exe 17 10 6->14         started        51 Antivirus detection for dropped file 10->51 53 Multi AV Scanner detection for dropped file 10->53 55 Machine Learning detection for dropped file 10->55 19 TYpjaL.exe 14 7 10->19         started        21 TYpjaL.exe 7 12->21         started        signatures5 process6 dnsIp7 29 royal-arois.com 103.147.154.47, 21, 49698, 49699 IDNIC-DENEVA-AS-IDPTDenevaID unknown 14->29 25 C:\Users\user\AppData\Roaming\...\TYpjaL.exe, PE32 14->25 dropped 27 C:\Users\user\...\TYpjaL.exe:Zone.Identifier, ASCII 14->27 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->35 37 Tries to harvest and steal browser information (history, passwords, etc) 21->37 39 Installs a global keyboard hook 21->39 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aeea171571e3b606d0ef657b0c23b5cd5d48137f028eb39c4a4bbfe9fada48ec/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3vboflr4o3anuhpmv5qyi5vzvouqe37akhlhhckjo76t6w2jdwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
AgentTesla
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
AgentTesla
0a65bdc8a4ddc23e2d4fed87eb161185359b5ce38f9483ba5e0786d3c8aa8c34
AgentTesla
349fada4859b8ffa4c690af723daa16669d6fa2b9f5ec51111adee2e8cb63748
AgentTesla
5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a
AgentTesla
8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519
AgentTesla
9c2c8761ad2b6ff1f1210799eb5235fe597150650e7d593c65a55c39185f4acd
AgentTesla
c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec
AgentTesla
e68df2087331bc53cc8df1fea6ccabb8fd68ce31e9b5a6addbb6bc9036988c51
AgentTesla
f86378105b4028797386149c63ced3dfb596164326381b99257b49ae61d90db9
AgentTesla
+ 2'055 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-grfxqage48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
a88a5d782a07d7ac5aefa111a94ecb37d3fc31dc1c5db195e8ef286ba87f8f0a
MD5 hash:
aacf9e036d5cae010f08565cab86667c
SHA1 hash:
fcbb493224ed3862d3ebf3a2285f8f2a658961b0
Link:
https://www.unpac.me/results/b1a0e081-b0c7-4cf9-825d-c92cf1145cd5/
SH256 hash:
4b6032d534116ce239649e9ca3ceea757854be41f752f35fdf74d62ba5892733
MD5 hash:
f0bd22005b30d49ba7733f7e8ac374d3
SHA1 hash:
ee4c0b39e4bbd20f8a38ed308638a2ae77f24da5
Link:
https://www.unpac.me/results/b1a0e081-b0c7-4cf9-825d-c92cf1145cd5/
SH256 hash:
596417d05f9f07093c2012a87b4ad37da3c0b3768c62299e109c2fef06180f1c
MD5 hash:
f4ea99ed5a74ad2fa8d9d6d6795dfa8c
SHA1 hash:
ac270df07ea50f17f2de0d2e0ee774a8607f9a66
Link:
https://www.unpac.me/results/b1a0e081-b0c7-4cf9-825d-c92cf1145cd5/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/b1a0e081-b0c7-4cf9-825d-c92cf1145cd5/
SH256 hash:
d1d63060254b18e3468f679666f5b1ecbd003b66c70d7a23f668c3a50e292850
MD5 hash:
923a747cb504367a91bc22978a10c76a
SHA1 hash:
91baecddb505c8052f679f92c384ce848b2cdbb8
Link:
https://www.unpac.me/results/b1a0e081-b0c7-4cf9-825d-c92cf1145cd5/
SH256 hash:
aeea171571e3b606d0ef657b0c23b5cd5d48137f028eb39c4a4bbfe9fada48ec
MD5 hash:
b77d6ebcd4b557010d8fcbcf78e6e5b7
SHA1 hash:
d84040a55d1a18a47c7e81a344018d0ec1bf641a
Link:
https://www.unpac.me/results/b1a0e081-b0c7-4cf9-825d-c92cf1145cd5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aeea171571e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe aeea171571e3b606d0ef657b0c23b5cd5d48137f028eb39c4a4bbfe9fada48ec

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382141/

Comments