MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bae9a997d8e0c566b8f0a8dbe770baa1ec2360df8fbf8239305fed7dae1f28e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	bae9a997d8e0c566b8f0a8dbe770baa1ec2360df8fbf8239305fed7dae1f28e9
SHA3-384 hash:	5b06c9c73e898f47ef11d6cad92ca21eb2f1c3745546e84f9d3135efe3c1521ee5a7c4b791c01bf992758ef08a9ff045
SHA1 hash:	049cc0a2b0233b159e0ec5ae14c76ead65d2217d
MD5 hash:	6b553b88b3f95b4f70d087d2341d2707
humanhash:	winner-quiet-xray-mobile
File name:	1691602996d1f10dbcfd907a0e4a46310170143d377ddd575ec603d8e7b7b4535437b478ee158.dat-decoded
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	244'224 bytes
First seen:	2023-08-09 17:43:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:eJFUrlziaqxrbkSDigZPdZNT88nEetXjNWH8:M0ziPxXkAigZP7NY8EetXs
Threatray	5'516 similar samples on MalwareBazaar
TLSH	T19334ED177E44EB11D65C3937C3EF6CA813F2A0C70673960BAF48AEA529512436D6E36C
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	AgentTesla base64-decoded exe

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

286

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

1691602996d1f10dbcfd907a0e4a46310170143d377ddd575ec603d8e7b7b4535437b478ee158.dat-decoded

Verdict:

Malicious activity

Analysis date:

2023-08-09 17:57:35 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/95077080-5850-48f9-ab54-091a9ee6ec91

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/441767/

Detection(s):

Win.Packed.Generic-10003641-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Reading critical registry keys

DNS request

Connecting to a non-recommended domain

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Stealing user critical data

Gathering data

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/bae9a997d8e0c566b8f0a8dbe770baa1ec2360df8fbf8239305fed7dae1f28e9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6dc50b6-3739-4b10-a56e-14936e728bf5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1288856

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bae9a997d8e0c566b8f0a8dbe770baa1ec2360df8fbf8239305fed7dae1f28e9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-08-09 17:44:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xlu2tf6y4dcwnohqvdn6o4f2uhwcgyg7r67yeojql7wx3lq7fduq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3a04516d71e6a24f0f20da46230239ca177e6c1d76cb887948344694e2a376a4

AgentTesla

5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108

AgentTesla

55f47949fa46a7652f50e310846d3a98711dd942ce021cbf68f57bf69e858d2a

AgentTesla

a41aa6ac96ed5cceaa4ad9badd1b0d49c34aeb0513081a768fd0f9da2c4f9432

AgentTesla

b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236

AgentTesla

ba698cd54cd138ebd1df234e780463070b9e108e980512fb33a857af1c3c6248

AgentTesla

cf5076ce2ae1cbfb94993dbfb3f5f2c9c488fda02aa30da75693645a214b6459

AgentTesla

e949856ccd8b9d36fb7c2322f2c09d2a969c0121c9b08361cf16dc08c316d3ad

AgentTesla

eb8e351b8fdaadf5429c19d052428ab81b91170406b937d0f3753e334a757fe3

AgentTesla

+ 5'506 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230809-wa8czaff9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

bae9a997d8e0c566b8f0a8dbe770baa1ec2360df8fbf8239305fed7dae1f28e9

MD5 hash:

6b553b88b3f95b4f70d087d2341d2707

SHA1 hash:

049cc0a2b0233b159e0ec5ae14c76ead65d2217d

Detections:

AgentTesla

Link:

https://www.unpac.me/results/eba51a18-90e1-4ca8-ae78-1601deabe3ee/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bae9a997d8e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bae9a997d8e0c566b8f0a8dbe770baa1ec2360df8fbf8239305fed7dae1f28e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d1f10dbcfd907a0e4a46310170143d377ddd575ec603d8e7b7b4535437b478ee

AgentTesla

exe bae9a997d8e0c566b8f0a8dbe770baa1ec2360df8fbf8239305fed7dae1f28e9

(this sample)

Dropped by

SHA256 d1f10dbcfd907a0e4a46310170143d377ddd575ec603d8e7b7b4535437b478ee

Dropped by

MD5 ad1afd086d3536b5c9dbf0854711c49c

URLhaus

https://urlhaus.abuse.ch/url/2703366/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/441767/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample