MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b82ed3f172b7bf08b9b825fb75f9b8e49a3d3f9ff677b13788e29921793672b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b82ed3f172b7bf08b9b825fb75f9b8e49a3d3f9ff677b13788e29921793672b2
SHA3-384 hash: 35a43b476e576848ea3f24e6666f7bed0986580c32049dd570bfa1e07505935a3964e8c43e53c06d189029051799c28c
SHA1 hash: 8e385de66853420a5dde3745de45190c8f88e308
MD5 hash: c9337cfc0bee0550f7d16cec5c6ed688
humanhash: single-avocado-ack-high
File name:ytrrt.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'274'368 bytes
First seen:2020-10-19 10:38:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaOilPNR+KgjRDShojTf85/VsnT6D5:Uh+ZkldoPK8YaOOPNk5dTfsVs6
Threatray 6 similar samples on MalwareBazaar
TLSH 6645BE0273D1C036FFABA2739B6AB60556BD79250133852F13981DB9BD702B2137E663
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: alnassar.com.sa
Sending IP: 162.244.93.110
From: TTNET <it-server@handinhandfelixstowe.co.uk>
Subject: İnternet_Gelen Faturalar_19.10.2020
Attachment: Fatura_A162020001941881.img (contains "ytrrt.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72898/
Detection(s):
SecuriteInfo.com.AutoIT-3.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.EmbeddedEXE-5.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/495266
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b82ed3f172b7bf08b9b825fb75f9b8e49a3d3f9ff677b13788e29921793672b2/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 08:15:14 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xaxnh4lsw67qronyex5xl6ny4snd2p476z33cn4i4kmsc6jwokza._file
Verdict:
unknown
Similar samples:
48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000
AgentTesla
b3db12ee110a51adbbbe9901d5c5ad135aae575a37a8f2a5632b88eedacede6a
AgentTesla
b559b57a32b925a016e954b9d499baccd9c629ab3218858a9019e276b0831c4d
AgentTesla
bd752c46af3d020a57a29458209f135518890abdcac5934b754a8fddf20435cb
AgentTesla
e821cabb0421506c21032d4aef9db65725c4aebbbc61f31da0d269937f91e891
AgentTesla
f8ead6b4249948dc3a300ba676acbdf6cb85ef6aef32d6bea64e9b6eb5a75f73
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201019-6k5vk8hkbx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b82ed3f172b7bf08b9b825fb75f9b8e49a3d3f9ff677b13788e29921793672b2
MD5 hash:
c9337cfc0bee0550f7d16cec5c6ed688
SHA1 hash:
8e385de66853420a5dde3745de45190c8f88e308
Link:
https://www.unpac.me/results/8c5e0201-80d3-4187-ae8f-198b2b5f65af/
SH256 hash:
be4fabd66b008b5fe6840b4882389474e56e0966d6413dc1cd03c0820a8c2eb0
MD5 hash:
cc964427c44596be16559cae108796f2
SHA1 hash:
b68e49c5c97297c403855165a207b7c74ea2d0fc
Link:
https://www.unpac.me/results/8c5e0201-80d3-4187-ae8f-198b2b5f65af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b82ed3f172b7bf08b9b825fb75f9b8e49a3d3f9ff677b13788e29921793672b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 40ccfa6451d80e6a6d7a8d06732eb613e8d28c77de4817d765cd137a67dc379e

AgentTesla

Executable exe b82ed3f172b7bf08b9b825fb75f9b8e49a3d3f9ff677b13788e29921793672b2

(this sample)

  
Dropped by
MD5 6690d329de3455cb5d614d3b3038f403
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72898/
  
Dropped by
SHA256 40ccfa6451d80e6a6d7a8d06732eb613e8d28c77de4817d765cd137a67dc379e

Comments