MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 100dbf5f7cae1bd81a5612d58c157dbe8c589745ddf3454ffb52dae5287552e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	100dbf5f7cae1bd81a5612d58c157dbe8c589745ddf3454ffb52dae5287552e0
SHA3-384 hash:	c80d15d02d2d61ecf9bf88ec11b8cc7d37e9c2fa568b6236fadc1f81031c38f98bb8e17d1392a631276a2d56fa367af3
SHA1 hash:	f8c4d6ddc7504c0e88e261d4f44c9ec6c3d436f2
MD5 hash:	89e16697ce7b93befd01566fc16493c4
humanhash:	vermont-speaker-carpet-lima
File name:	TEKLİF TALEP TUBITAK SAGE_xlsx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	654'848 bytes
First seen:	2022-07-21 11:59:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:y9Ggg31hbx823X5nc0SpxmlLb+BbYINeXaemnREoTSQDw:y98bxpZZuTNeXHmnREm
Threatray	17'914 similar samples on MalwareBazaar
TLSH	T1C9D4023376F7E911C53843B280D2124806F2630E7577E91E35DEBA5A85E23EA5E813E7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293164/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.44349.11880.14868-222265.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed strictor

Link:

https://www.filescan.io/uploads/62d9403e0e298a94f3e8187a/reports/384adc4f-5f1f-4997-b7ac-c954e856b7db/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2676c129-a097-4943-89c6-d217f3386b23

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1038559

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/100dbf5f7cae1bd81a5612d58c157dbe8c589745ddf3454ffb52dae5287552e0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-21 08:54:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cag36x34vyn5qgswclkyyfl5x2gfrf2f3xzukt73klnokkdvklqa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2a9e7a346cc0736d2564db25283252ea9ea47630bb93d44b83841d2cd3e020bb

AgentTesla

3de2b99f225f06ff2d1a1f29fd6d9a02cc2820d0d929ca3f85e22e9743085865

AgentTesla

49f6f950b9d9555778312d4a4a10d2ab6ad7a53e84ceb646cabc4b23e326fb6d

AgentTesla

6dc9b15607a6135a45a47a54ff6ae7bc437e3e69d73adc101a94e20c4944a606

AgentTesla

8126addf40ee416e253cf5b46048633dc836856575e92ce271854417a1ddf9f7

AgentTesla

9a2cb78785196ff5a09b428bcf2325d0d3f2455d3607e86edac32273b9a66705

AgentTesla

a0669c333cd5683b938d7525828022547ddcaa61e924ca7f4a29e484d0c7100a

AgentTesla

b396f3f9fa5b3acac6ddbd6699ceeff35c671c1d0d595a69b187c2a107cd31eb

AgentTesla

f5d45ca990682655ef1f87ff669567c6fc0fbd63d81970a0f95a87ef360a5fa8

AgentTesla

+ 17'904 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220721-n6a4cafgbm/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Unpacked files

SH256 hash:

136019e13a4777ed649fdf0f061e4ad169c91fc210a979eb29b22bc26c56223b

MD5 hash:

7aeaa422e0d009c69824cba4de40c79b

SHA1 hash:

40ff36f198bc61b6151f28451f24558e511042d2

Link:

https://www.unpac.me/results/ded13507-e403-4939-959e-ccbed835b414/

Parent samples :

c69020d319adad3cbafcc89ed03083094e1484ff9b473b70434e2be28f4eaaf6
f6a5112b969d1fa88dbd095df950e3b586b00166c857656c1da21685ab94e093
4164d3bec950ac04c1a2e8edc8b4bccc4526daa5400e011c2622e9b08c720901
74364dacad18ae5d6930c6b8d3c41210ef3d3c2c7899386c2b2c17d7c84142ec
4c88e26f710c4aec376be1d0162bc0edbb5dc0092f5c786c9f5c15b4c5bc9706
b153261c18823db96bfd055e398bac3f7c3853aaa006c2017dc17d13e49e23f1
b90d614aa6a712c1c1ae460f35a852005123f2719fa15faf1837e90a8b138d2f
ed4b9afcb717295f5fb71bcc6f408dbbed12c6858ee2f20a1f7bd2ab72074fc6
ee215a3ddd28f9c0599ade58c8e18c1735abe7fd9883fe846ce480ced27aa663
9bfcddc5558b99ca104647f9f65f6eeb585d7eada6a786e841ff71d9a7a4c682
c67f1aa3ba774093756918e8dc2a2064e1d8e39a91f09c01d55ad38e73ef5a3e
a7cbbba4240bca662bb18a1b8f3de13c839b3714ca8a869fb5c99dda91f43913
bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf
f9310537144e0d9dac0a50fee380fa07322354e9248454c1bb60144c8bfd22cd
cf44163e574fb84c598bd3a738aac3119c0f64cc7c6fce5739faca7ea9158bcc

SH256 hash:

2893fab97bc9f9e52d5859978bc5639d55ac2ae7a83b8a735681ee9f074f95dd

MD5 hash:

1af7806cb5a737bf7799d27425d18ee1

SHA1 hash:

0cc3f607b87281623afd36c1160b5823f1dc8c57

Link:

https://www.unpac.me/results/ded13507-e403-4939-959e-ccbed835b414/

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/ded13507-e403-4939-959e-ccbed835b414/

SH256 hash:

ca4e3745f87ae419e10fa9dd15e9814f66a7dca601ae70bd3ae3b0b0781e9491

MD5 hash:

6491ab64072f34a6124f4cdf1d9bdd43

SHA1 hash:

78008e0c188d1732ebb5bbfe6d15892ebe32b1f7

Link:

https://www.unpac.me/results/ded13507-e403-4939-959e-ccbed835b414/

SH256 hash:

60153a5e4d6f7a2b4a1055cb33ef8e8cd63ff6d3b061834fdf1f7889376b0215

MD5 hash:

f9c92420e4bd1b4bc2c61e8c19372a49

SHA1 hash:

1fabaf8c323541022c82293eff23dc4f64c121a3

Link:

https://www.unpac.me/results/ded13507-e403-4939-959e-ccbed835b414/

SH256 hash:

100dbf5f7cae1bd81a5612d58c157dbe8c589745ddf3454ffb52dae5287552e0

MD5 hash:

89e16697ce7b93befd01566fc16493c4

SHA1 hash:

f8c4d6ddc7504c0e88e261d4f44c9ec6c3d436f2

Link:

https://www.unpac.me/results/ded13507-e403-4939-959e-ccbed835b414/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/100dbf5f7cae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/100dbf5f7cae1bd81a5612d58c157dbe8c589745ddf3454ffb52dae5287552e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 100dbf5f7cae1bd81a5612d58c157dbe8c589745ddf3454ffb52dae5287552e0

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/293164/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample