MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af660afc27dcf12ba5584b2e8b6c5fc2b3a90da9d00d3c44b3c0391c9f627530. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af660afc27dcf12ba5584b2e8b6c5fc2b3a90da9d00d3c44b3c0391c9f627530
SHA3-384 hash: 85eb07037a19b62217531bb2242a9776b73b5af8906409a642846390901a0809c5fcb6498f0564e92c0a5d32ad21431d
SHA1 hash: 66a704848675b784e7914b4150d37b1f31079b2c
MD5 hash: 73a9389a6247a97e03c17f239b96869d
humanhash: california-twelve-bulldog-video
File name:FedEx_AWB#5019909274.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:664'064 bytes
First seen:2023-08-30 06:31:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:NEC0h36UZo+3/I+dnfOys+yngPvmbwMqtISJsBEsjA0zQ8K935Rv:NPS3ho+gAnGyWgPvmbfqtCEst1K9D
Threatray 5'614 similar samples on MalwareBazaar
TLSH T114E4221222A56F1BD5BF9BF509A1741053F0360614B1E73E2DD31AEB2960F09E2B2B67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe FedEx

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
FedEx_AWB#5019909274.exe
Verdict:
Malicious activity
Analysis date:
2023-08-30 06:41:43 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/ec72c28a-de3b-4db1-9259-40099fb87ab6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445222/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64eee264b3b7d7c782d12987/reports/109d7a42-7ce6-4aa2-8ccf-a1d0148c7527/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/af660afc27dcf12ba5584b2e8b6c5fc2b3a90da9d00d3c44b3c0391c9f627530
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a927e3ac-0f2b-45dc-905b-a6501c9fac50
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300174
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af660afc27dcf12ba5584b2e8b6c5fc2b3a90da9d00d3c44b3c0391c9f627530/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 06:43:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5tav7bh3tysxjkyjmxiw3c7ykz2sdnj2agtyrftya4rzh3couya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0763c342c24ead7900fdc994102dd981fd66e0097bef7db0e665b791b24d00e0
AgentTesla
710fa86210820e8990d72fde020d01022c213ef03c036d1ed1ce96e8a07eb9ce
AgentTesla
9bee15aa43bcdb1c361ba488354de254e7860b9f006ad7ce7602adc6d7667e62
AgentTesla
a444429e646f262a1380c2ec47c7459010b36f1ded2174026584d43070974da7
AgentTesla
ccddf3fe6a00fb7d71df42df100e1cef6c07c21de1c3718cb9704bf6b36f2020
AgentTesla
d4c65b87adae3913a730961c55284473afd9522648dab49cbb44eb716918ea0f
AgentTesla
ef0a41bf12a3085143abafdd6a05753acdfa9359cf4bd682d85b565fdeb00a22
AgentTesla
f03f1ae3d3d6bde555d9bc841f8b11ee27459cb9937ae50298b24acb3190552e
AgentTesla
f4d50f538efd2ade1a4aa8ad827b6885af60dfcee80abe5efce6589318d7b45f
AgentTesla
+ 5'604 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230830-halx3sab64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1144547545947836496/4klhci_uskNU76hxRRnyNW7rpPV-lgpVKnBNpfkC6xW0NKv5ciAovXJ9J6jm_jK4_i8X
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/51f3cf45-018c-44b9-a3cb-5b2b3cfc851d/
SH256 hash:
ebaf28744bfa555219d56440db49703efd0e1757e3e219eef119725b4f0090d5
MD5 hash:
13574c506380e6ec0da25e442099b8e4
SHA1 hash:
9900c86a1bb5a605e34de9a4167aa3b93225ec33
Link:
https://www.unpac.me/results/51f3cf45-018c-44b9-a3cb-5b2b3cfc851d/
SH256 hash:
ccaeea59c0a7db1fd32814772a8a683c0b8d32cbe02214eac8f5d338b0576bd8
MD5 hash:
c460bfcdb4d0dc7825d6944838410025
SHA1 hash:
7d127cf6d971e9fb02f35925eafa7484d492ca30
Link:
https://www.unpac.me/results/51f3cf45-018c-44b9-a3cb-5b2b3cfc851d/
SH256 hash:
bfa9934be36b911cd25737b515137eccef4db8cfd28d9cf21fd632bcec78690f
MD5 hash:
bfc80ce50792578e78f0c6a9f69ac62b
SHA1 hash:
18e1981e9bbc5b24c2362044bd6f54f4db86413d
Link:
https://www.unpac.me/results/51f3cf45-018c-44b9-a3cb-5b2b3cfc851d/
SH256 hash:
af660afc27dcf12ba5584b2e8b6c5fc2b3a90da9d00d3c44b3c0391c9f627530
MD5 hash:
73a9389a6247a97e03c17f239b96869d
SHA1 hash:
66a704848675b784e7914b4150d37b1f31079b2c
Link:
https://www.unpac.me/results/51f3cf45-018c-44b9-a3cb-5b2b3cfc851d/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af660afc27dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af660afc27dcf12ba5584b2e8b6c5fc2b3a90da9d00d3c44b3c0391c9f627530

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe af660afc27dcf12ba5584b2e8b6c5fc2b3a90da9d00d3c44b3c0391c9f627530

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445222/

Comments