MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929
SHA3-384 hash: a4f21125430a305cfef3324dfcd73e4ec9ea2894f1689596a5f7d3a5c2050353e981063466911bbbc0a4578e6f926bc0
SHA1 hash: 74e3fd3f4eb863219859d01e1b7f520f2164170a
MD5 hash: 2f4ee838d527530c51d1d9c3c78ee810
humanhash: carpet-vegan-happy-timing
File name:Statement Of Account.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:696'320 bytes
First seen:2023-09-21 06:52:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vrTEisUH/T6Fuc4nMjtIp81md9ybYHi65RLfg4o1I8wh/E:TTEW76FcnMjSp81S4Gh5RLoZY
Threatray 1'578 similar samples on MalwareBazaar
TLSH T1E2E4121D3A6B0A13E91DAE7CD2A150C017BD9D537093EB2FDF95A0E239A67804460EF7
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Statement Of Account.exe
Verdict:
Malicious activity
Analysis date:
2023-09-21 06:55:46 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/94c1d801-4090-46f3-852f-4587bbdb81cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450272/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for the window
Creating a window
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger masquerade packed
Link:
https://www.filescan.io/uploads/650be85332ffdb7a7a0e2449/reports/e53e6d4b-196d-4cdd-bf95-2e521fc16a66/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b81960c0-42da-4184-8133-b7d03aab0126
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312065
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1312065 Sample: Statement_Of_Account.exe Startdate: 21/09/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 7 other signatures 2->55 7 Statement_Of_Account.exe 7 2->7         started        11 wLOESXveLztC.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\wLOESXveLztC.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpFD49.tmp, XML 7->37 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 67 2 other signatures 7->67 13 RegSvcs.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 23 RegSvcs.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 39 webmail.ultra.aqfoam.com 103.6.198.192, 49720, 49722, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 13->39 41 api4.ipify.org 104.237.62.212, 443, 49719 WEBNXUS United States 13->41 43 api.ipify.org 13->43 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->71 73 May check the online IP address of the machine 13->73 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        45 64.185.227.156, 443, 49721 WEBNXUS United States 23->45 47 api.ipify.org 23->47 75 Tries to steal Mail credentials (via file / registry access) 23->75 77 Tries to harvest and steal browser information (history, passwords, etc) 23->77 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929/
Threat name:
ByteCode-MSIL.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 00:46:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ktgw2h2nowfai4zq7f53wwxzsxbsjgia67r7jji2epl3ni7heuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b0318f358aef711c6fa5b14ad387579602bfa2d622036343e6aa65cab1f5b9b
AgentTesla
53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4
AgentTesla
5d7c266d259671e981012277ca6b1096ba64700659a4bd21e89f9e85af3dd53a
AgentTesla
5f273aebe2382d4bd8848327b27b769977665826be46a21766b77ca7f98f9b96
AgentTesla
650f2f1215bca8640d5edd8d0a5067d40efd6d6272c55ddf1451e7c177fea406
AgentTesla
91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68
AgentTesla
cbc31caf32b2849eb3d0b11dd39ed17b7ee4354725f1af91df412daf57104fd0
AgentTesla
d2b96f81cdc50ac6f192eab0fb6ca508f011f5fd13e69c4d83396ff092cf7ac7
AgentTesla
f735ffec33b8b8cb2a2d935a1600a6902b95508b5faf5c67f2612548e9773538
AgentTesla
ff87df006fb01a3f40c3eaa5f64efbb699378e096c28d4179eb5b3c023774acc
AgentTesla
+ 1'568 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230921-hnmfrsga78/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
0a562c1f9c2fb6ed50f92a1b18827175c8233ef31da92a3070fc38cc5147f3b6
MD5 hash:
7004e7499403c71e8b066d0cfc371241
SHA1 hash:
eaed80e45b90b7876e13e47516f3cf2cd7184fa2
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/6cd3a1c0-4a91-4c25-90f9-99afc5b7b812/
Parent samples :
ab1144d8fcde912bc3e50f59f24eeb6fc6fb37cb5c20f194e41075e1baadb261
dafe0df547619cf487f3f4e3a0ef2fb26bddb5e70a69086aa74b52ce9f6fe519
eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929
9f9dd91a9d7373e39a8e7adc7e7ff1adba045e4590798eaf47f2a701e8036331
e146c10d13f2ed30acbf8733bf5b3ae1e75572fd917d8b6749b69c54676e9923
b4897fb2b7450804ea184f77c7661b1af8c022c294d69f127e8c1ee47f37ca68
b93fab56242eb11d31992191aa2a57f93c8f9b77d1041b4c97e830f2b4ff5045
0eb8bbeb7db95d53ff488d6177e646ad9d461e96d5cca5115e332d08352f4b15
SH256 hash:
a8a5fa695501c7d7e1c70dc9c7aa9dbaa98d03c4ded262947811cb883c3afe7d
MD5 hash:
200ab8e098a1e41ca357d3cdcfab4bdf
SHA1 hash:
dc2a6966c9b964286e41d8cc77d57bc5e41ed216
Link:
https://www.unpac.me/results/6cd3a1c0-4a91-4c25-90f9-99afc5b7b812/
SH256 hash:
12160eff8564633264da18bf0031dd29b374e438377db923c1ad0938e618e7d9
MD5 hash:
7a3db8ef006ba88f69b43d885d4a033d
SHA1 hash:
86e7536845add46f8b373bab670c9909b9dc3170
Link:
https://www.unpac.me/results/6cd3a1c0-4a91-4c25-90f9-99afc5b7b812/
SH256 hash:
f18ede1829f6537e67a2f4e8cdcd767ee6b50b8dab392ecf26c75ac34e1494fb
MD5 hash:
65d61d54ea7665a497fed9699cc9e7e5
SHA1 hash:
8418bb9f902beac21267a1a60ac8431a4179defc
Link:
https://www.unpac.me/results/6cd3a1c0-4a91-4c25-90f9-99afc5b7b812/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/6cd3a1c0-4a91-4c25-90f9-99afc5b7b812/
SH256 hash:
eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929
MD5 hash:
2f4ee838d527530c51d1d9c3c78ee810
SHA1 hash:
74e3fd3f4eb863219859d01e1b7f520f2164170a
Link:
https://www.unpac.me/results/6cd3a1c0-4a91-4c25-90f9-99afc5b7b812/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eaa66b68fa6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe eaa66b68fa6bac50239987cbdddad7ccae1924c807bf1fa528d11ebdb51f3929

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450272/

Comments