MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 599b057032b8e99d9d2a303864311b3f715c2c0a94634a39d4ea1c7141e2a90e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 599b057032b8e99d9d2a303864311b3f715c2c0a94634a39d4ea1c7141e2a90e
SHA3-384 hash: f866ad9c3ce56a06daf91ea97951abcea60862540ed9472c00c8c27ae0556c6afd6ce3a2e471259f97083b55b80f1d26
SHA1 hash: 0f7198e53008ea0842b7e3c67f4612398bb63c60
MD5 hash: 899f230bcf71d17b8d4b1fe86e29e524
humanhash: floor-solar-mobile-grey
File name:EACTS sample product requirement 23rd october 2023 pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:64'512 bytes
First seen:2023-10-23 13:23:09 UTC
Last seen:2023-10-23 13:34:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:xS+RSO3K6OHjZqXxbeakXo79jzXY/UTpTAY2PX9qSf2d6RyHqNt:xNRSO3qtqBzkXo79jzXY/EGYu9qSud6L
Threatray 1'474 similar samples on MalwareBazaar
TLSH T163535B097B8C9A57C7FC48BEC5E261054BBAD1B32243E357EEC0B1E81953BF94942687
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EACTS sample product requirement 23rd october 2023 pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-10-23 13:23:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c1bde18-ad35-46dc-9fc1-57d6c7a2a4d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.19638.16894.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/653673f44678fc28dfc61b78/reports/8878b06a-a422-4458-9504-1e55b9e5c1ff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/599b057032b8e99d9d2a303864311b3f715c2c0a94634a39d4ea1c7141e2a90e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9eb304d5-0d34-4f4a-9556-1ee14b768f85
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330598
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330598 Sample: EACTS_sample_product_requir... Startdate: 23/10/2023 Architecture: WINDOWS Score: 100 87 mail.dayanbiotech.ir 2->87 89 web.fe.1drv.com 2->89 91 4 other IPs or domains 2->91 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 9 other signatures 2->101 10 EACTS_sample_product_requirement_23rd_october_2023_pdf.exe 16 6 2->10         started        14 Bmqeyflam.exe 14 4 2->14         started        16 Micosoft Excel 2020.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 85 C:\Users\user\AppData\Roaming\Bmqeyflam.exe, PE32 10->85 dropped 119 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->119 121 Creates multiple autostart registry keys 10->121 123 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->123 131 2 other signatures 10->131 20 EACTS_sample_product_requirement_23rd_october_2023_pdf.exe 1 5 10->20         started        25 cmd.exe 1 10->25         started        27 EACTS_sample_product_requirement_23rd_october_2023_pdf.exe 10->27         started        125 Multi AV Scanner detection for dropped file 14->125 127 Machine Learning detection for dropped file 14->127 129 Adds extensions / path to Windows Defender exclusion list 14->129 29 cmd.exe 14->29         started        31 cmd.exe 16->31         started        33 cmd.exe 18->33         started        35 cmd.exe 18->35         started        signatures6 process7 dnsIp8 93 dayanbiotech.ir 5.9.154.209, 49740, 587 HETZNER-ASDE Germany 20->93 81 C:\Users\user\...\Micosoft Excel 2020.exe, PE32 20->81 dropped 83 Micosoft Excel 2020.exe:Zone.Identifier, ASCII 20->83 dropped 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->107 109 Tries to steal Mail credentials (via file / registry access) 20->109 111 Creates multiple autostart registry keys 20->111 115 2 other signatures 20->115 113 Adds extensions / path to Windows Defender exclusion list 25->113 54 2 other processes 25->54 37 Bmqeyflam.exe 29->37         started        40 conhost.exe 29->40         started        42 Micosoft Excel 2020.exe 31->42         started        44 conhost.exe 31->44         started        46 Bmqeyflam.exe 33->46         started        48 conhost.exe 33->48         started        50 Micosoft Excel 2020.exe 35->50         started        52 conhost.exe 35->52         started        file9 signatures10 process11 signatures12 103 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->103 105 Adds extensions / path to Windows Defender exclusion list 37->105 56 cmd.exe 37->56         started        59 cmd.exe 42->59         started        61 cmd.exe 46->61         started        63 cmd.exe 50->63         started        process13 signatures14 117 Adds extensions / path to Windows Defender exclusion list 56->117 65 conhost.exe 56->65         started        67 powershell.exe 56->67         started        69 conhost.exe 59->69         started        71 powershell.exe 59->71         started        73 conhost.exe 61->73         started        75 powershell.exe 61->75         started        77 conhost.exe 63->77         started        79 powershell.exe 63->79         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/599b057032b8e99d9d2a303864311b3f715c2c0a94634a39d4ea1c7141e2a90e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/599b057032b8e99d9d2a303864311b3f715c2c0a94634a39d4ea1c7141e2a90e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-23 08:02:28 UTC
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgnqk4bsxduz3hjkga4gimi3h5yvylaksrruuoou5iohcqpcveha._file
Verdict:
unknown
Similar samples:
1ecf4a80641db7366f049cd1a60eb75d36eb68578d5e71e4e72d2474aa9be7bc
AgentTesla
4bc7979e8e63f880e9f4d7be6e59e55c059f5de3377837fcac7d167e3d4fc19f
AgentTesla
65c4d932a71d1f36d1c57b7ed319c20446d3c935b60f8f1262bc047e1c6556ff
AgentTesla
6e006fa2cf49e2c52add436f266e2f62fb53ec936dd3caf536749d859240d6ae
AgentTesla
72e5420f9ce8e361479ffa0959e14c29d10b3112c0cbafbde4554506d1bd665a
AgentTesla
a830eaba9888a6fa0a3cbf85da3636f1c41ae7a0372cbc5cfab0efd197894fc9
AgentTesla
b916d475339eb0e64ad8e4e8bf897adb317c8add907ca4f72c1b7fda76cd8550
AgentTesla
c5bf13f324052f8e3240024494c7c4bf809e3c423a59fabd0cd067e01a990ee6
AgentTesla
ff7cea1471a8650fec0cf17b7006d68320702939027341f922389672bfe88115
AgentTesla
+ 1'464 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231023-qnc64agh4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
599b057032b8e99d9d2a303864311b3f715c2c0a94634a39d4ea1c7141e2a90e
MD5 hash:
899f230bcf71d17b8d4b1fe86e29e524
SHA1 hash:
0f7198e53008ea0842b7e3c67f4612398bb63c60
Detections:
win_delivery_check_g0
Create hunting rule
Link:
https://www.unpac.me/results/24cebf08-4452-4a17-8a6c-50d7f36dc3f3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_delivery_check_g0
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments