MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23
SHA3-384 hash:	4e65a8ebc9df270c1e1dbc3cc97ba3b1c12ad32fa57f11a52ff5a561e8b20e0e72d5b705fc1f5c567bdbe9540876c4bd
SHA1 hash:	71cec9339d3e21934e43ab7ad214209ac0c8feea
MD5 hash:	e8f344422865d7fde6617bfb38364f01
humanhash:	idaho-johnny-west-georgia
File name:	rfq#5644700.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	748'032 bytes
First seen:	2023-06-20 06:54:00 UTC
Last seen:	2023-06-20 08:21:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:yb903YPXuPM7q6bpw4dcZda/igJso5McBF/1uQjO8iX4TEFMUSZCQqQqfU3Fsf+R:yb903Y9zu4CZdO6oMAVzniXpFC/l3Ac9
Threatray	5'443 similar samples on MalwareBazaar
TLSH	T162F412149A96972BD05B4FB85810E374813D6DC97621DAEF0ECF7CDB7E527CA023860A
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	2b2555676501612b (15 x AgentTesla, 3 x Loki, 2 x Neshta)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

rfq#5644700.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-06-20 06:58:54 UTC

Tags:

rat agenttesla

Link:

https://app.any.run/tasks/2661fee8-bf93-49b0-b86c-7ee4edbe5c1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XorStringsNET

Link:

https://www.capesandbox.com/analysis/400892/

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.10723.2329.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

89%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64914d0c3067ea15b6568510/reports/0d3ba24b-1e0d-4841-94ed-be47691899a5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4b64309a-3342-47d1-ae48-ff59d68e0a5d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1257947

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2023-06-20 06:55:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

8 of 37 (21.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=efxioqzupxegwymvhjqjc6sim2o5nubz7xf77gpkfcjzlhzrdirq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

37dc167da39f0b4322d8936d32185c2c99931b63284cc9edb230abd513dffbf1

AgentTesla

38a9f881eb28d8f75c2c21a9cb4de15e472866346c747c480e8e6ec485982067

AgentTesla

4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1

AgentTesla

6171f1157e6d3840397d27a5f484f8595770ad153d5969aa96a058114243cfa8

AgentTesla

6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b

AgentTesla

6f1acd309fb5ffdbfe2e1ca42dd060ed57e2107767f945f47cbbd71a5a189062

AgentTesla

841c2906a20d94ec86b77f8521073f13981909c97a739a06f84a7bb9dc9cbe6b

AgentTesla

ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847

AgentTesla

e33e4865fd5388cb8d3b67d1919d3ec2ee596463012327798fed93a2a282e4bb

AgentTesla

+ 5'433 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230620-hn97tsaf37/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

bf30f7032a6e2fdd6a872718de569645dda2c9e734a4f90a77e5af9a58d75812

MD5 hash:

29432c0db5445ce74b8a1042234187af

SHA1 hash:

fdc1bce5c868fbaed48ff27b3cc73b752bc66e75

Link:

https://www.unpac.me/results/16166413-8bd3-4002-9c49-caac84079cd8/

SH256 hash:

70e64c65f390670d7887a0d9509341a85016d925dd304b54b5a4959955a8113f

MD5 hash:

f352f172c9ee14d78943ee1103765344

SHA1 hash:

fb2ab18c217b4271be05b9a2395774a74c478332

Link:

https://www.unpac.me/results/16166413-8bd3-4002-9c49-caac84079cd8/

SH256 hash:

52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1

MD5 hash:

c785ddc46141af772c75101d17c46a41

SHA1 hash:

e248723b6f60cc7607980d07172b64c33b2b2f15

Link:

https://www.unpac.me/results/16166413-8bd3-4002-9c49-caac84079cd8/

SH256 hash:

f49473f6b978d7660a0dfc358f7b3b030e0d872bbc80a4f40d932f65094fd6bc

MD5 hash:

992f8f64dc0c65e95a260cf29ae5a27a

SHA1 hash:

a2f68f31bf76bb421036297b558b5f1488c26ac0

Link:

https://www.unpac.me/results/16166413-8bd3-4002-9c49-caac84079cd8/

SH256 hash:

a2ae3b92f5f11890c55fc62e2245c157eb4926c2f00a2b18b7437a32540ad3f5

MD5 hash:

f0dacf77d6667be77cdc70a922739df5

SHA1 hash:

3dd1199a334a95cff6f929adc0dc9fa2379725f6

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/16166413-8bd3-4002-9c49-caac84079cd8/

Parent samples :

ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847
216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23
b4808e6181c33178c778467beec7f8ce933b0ba767c4a78821e95776a0655e6c

SH256 hash:

216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23

MD5 hash:

e8f344422865d7fde6617bfb38364f01

SHA1 hash:

71cec9339d3e21934e43ab7ad214209ac0c8feea

Link:

https://www.unpac.me/results/16166413-8bd3-4002-9c49-caac84079cd8/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/216e8743347d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/400892/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample