MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dae342e7ff601fc56257e1cc03a7eb9478d4215ba7bb2a5caaad4355bad886d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dae342e7ff601fc56257e1cc03a7eb9478d4215ba7bb2a5caaad4355bad886d6
SHA3-384 hash: 0d03c974a5f2b79948c8950871a04e07fd175c3ec39c12a33abb162e3c483e88bedf7909cd778ded435b85ea6c389f24
SHA1 hash: 56b94f6484f17f87d4a91cd480f61128d2b376d9
MD5 hash: 09d1bb01da8b74cca682766758b4d4bd
humanhash: tango-seventeen-romeo-cat
File name:09d1bb01da8b74cca682766758b4d4bd.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:421'888 bytes
First seen:2021-06-24 15:36:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:YK9cTWRHQtA+jacMGTGfd4kIbqEK2+pZlf/GgeLhpOoByZ3jdIsEyiYkkr:X9cTxW+ucOfdtIb62Yf+PB2356yy
Threatray 1 similar samples on MalwareBazaar
TLSH C594F1182BFE2326E5BFABF529A4219087FE71761512E54D0CD121CB1A62F40DE81FB7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.itelcom.net.au:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new order.doc
Verdict:
Malicious activity
Analysis date:
2021-06-24 13:58:12 UTC
Tags:
ole-embedded trojan loader
Link:
https://app.any.run/tasks/511cbcc8-513c-43e6-8a19-ce7f9a763a43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168073/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.7932.22629.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f04d48d0-257c-41d5-b1d1-37970e2d005c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807592
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dae342e7ff601fc56257e1cc03a7eb9478d4215ba7bb2a5caaad4355bad886d6/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-24 15:37:14 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lrufz77map4kysx4hgahj7lsr4niik3u65suxfkvvbvlowyq3la._file
Verdict:
unknown
Similar samples:
df0f8724a5cff12da65f785ffdba965eac4ccec51e5ff2c9338344aeb4e01a8b
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210624-8f6h4a4mb2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5dfe41ea3a67294799f6c8a19ce6bd7a24cd9bebe1ebc22744f4bf1aaa52bba4
MD5 hash:
df3f6b2a2a41b878a159c313b4056afd
SHA1 hash:
517fe4cf6d71664452db2de2193edd8470b7c04d
Link:
https://www.unpac.me/results/8a5708e9-94f2-4e7f-a9e7-cd70a8ce9f09/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/8a5708e9-94f2-4e7f-a9e7-cd70a8ce9f09/
SH256 hash:
092e1b716d8c703fd53f03601b9f903adbb0d1e8150aa2c14ed12f0071d4764d
MD5 hash:
4d894b21997ef420d856ebfdff97cfc0
SHA1 hash:
f8a82403e327cd8395a7e93d2944fa964f2ab027
Link:
https://www.unpac.me/results/8a5708e9-94f2-4e7f-a9e7-cd70a8ce9f09/
SH256 hash:
dae342e7ff601fc56257e1cc03a7eb9478d4215ba7bb2a5caaad4355bad886d6
MD5 hash:
09d1bb01da8b74cca682766758b4d4bd
SHA1 hash:
56b94f6484f17f87d4a91cd480f61128d2b376d9
Link:
https://www.unpac.me/results/8a5708e9-94f2-4e7f-a9e7-cd70a8ce9f09/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dae342e7ff601fc56257e1cc03a7eb9478d4215ba7bb2a5caaad4355bad886d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe dae342e7ff601fc56257e1cc03a7eb9478d4215ba7bb2a5caaad4355bad886d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1395138/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168073/

Comments