MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417
SHA3-384 hash: a83f55e85cd08903c1d445253d342a072e85d2758ec0f13ee5e0eb2d8a07e0f491c0fd9b021471f753b22c1e0d7921f0
SHA1 hash: a7ea45c00e701298092e22d1b0dd988bdf22e671
MD5 hash: bf1b297357e3d9320e0d08c9bd2cbf22
humanhash: four-equal-king-football
File name:Product_Inquiry.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:631'296 bytes
First seen:2023-09-29 09:15:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Md725tF3ivQL8+XKP0OrpGt2DQ8mvfdJ9DLAgm0XgOd/vLHh9:ZrFi1KKMOGv8mvlLAgKsB9
Threatray 5'752 similar samples on MalwareBazaar
TLSH T12AD4239D78968760CCDC073A056D3A176374B126E020F3798FDE5AEB8E323595522FA3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b26969e8e8e8f0f0 (23 x AgentTesla, 13 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Product_Inquiry.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-29 09:38:27 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/ddd445cd-d724-4165-9289-e068349917c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6516959a83a0c6425d027fa9/reports/7f34d264-fb88-490f-8457-0ee0c33823b3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d719bf6b-3f69-43cc-b3fd-f469e94e835c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316329
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1316329 Sample: Product_Inquiry.pdf.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 57 netre-agro.com 2->57 59 mail.netre-agro.com 2->59 75 Found malware configuration 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 8 other signatures 2->81 8 Product_Inquiry.pdf.exe 7 2->8         started        12 plQRn125evan.exe 2->12         started        14 frYEUvTlDAIb.exe 5 2->14         started        16 plQRn125evan.exe 2->16         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\frYEUvTlDAIb.exe, PE32 8->53 dropped 55 C:\Users\user\AppData\Local\...\tmp8FF0.tmp, XML 8->55 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->95 97 May check the online IP address of the machine 8->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 8->99 101 Adds a directory exclusion to Windows Defender 8->101 18 Product_Inquiry.pdf.exe 17 5 8->18         started        35 2 other processes 8->35 103 Multi AV Scanner detection for dropped file 12->103 105 Machine Learning detection for dropped file 12->105 107 Injects a PE file into a foreign processes 12->107 23 plQRn125evan.exe 12->23         started        25 BackgroundTransferHost.exe 12->25         started        37 2 other processes 12->37 27 frYEUvTlDAIb.exe 14->27         started        29 schtasks.exe 14->29         started        31 plQRn125evan.exe 16->31         started        33 schtasks.exe 16->33         started        signatures6 process7 dnsIp8 61 mail.netre-agro.com 18->61 63 netre-agro.com 91.235.116.194, 587 THCPROJECTSRO Romania 18->63 69 2 other IPs or domains 18->69 49 C:\Users\user\AppData\...\plQRn125evan.exe, PE32 18->49 dropped 51 C:\Users\...\plQRn125evan.exe:Zone.Identifier, ASCII 18->51 dropped 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->83 85 Tries to steal Mail credentials (via file / registry access) 18->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->87 71 3 other IPs or domains 23->71 89 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->89 65 mail.netre-agro.com 27->65 67 api.ipify.org 27->67 39 conhost.exe 29->39         started        73 3 other IPs or domains 31->73 91 Tries to harvest and steal browser information (history, passwords, etc) 31->91 41 conhost.exe 33->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        file9 93 May check the online IP address of the machine 61->93 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 02:27:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmx6qtp4ufikreozvjulud5xzdasgcdzubn3nla5ytifhajtwqlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e7f5604e1d8b3d04603daffad0a90767b5dd09a639ab9ec783e3bef0df196e6
AgentTesla
2138dbdfee8ee957a0b9d2475b12d71e80a4e93d3f70aad66015bfc332021a50
AgentTesla
2717532257cd9ef04649deae085eaa433bd423bb062a9757aa799bef93124838
AgentTesla
51126123452b3b2387713de84f1ec87592effe0ba5dc70c4a24a63e68e35e3c3
AgentTesla
59a8979d512482bc6a656efb0445fbd1ad97b6c07e6b4353204c6992daca3e35
AgentTesla
9c091fdb1a1329094aa1902a066869bf18541c3fbaec9ee69153c790dc568e89
AgentTesla
a137cff915e45fd894f48951ee7fccf5d7b9da31539a8fe0b287f1720a8794fe
AgentTesla
bb934c8c993b5a096efb22396b82147369fa8ef44fc2da09089e590881e8c60e
AgentTesla
d37b94cc6dbda1ab0be4125b9399716800149a27665acc13b62f62d9a5d29334
AgentTesla
d8c49ba8b26cbf93164e1051bd1322d0e855b4b15357fcad7a05edbb40564078
AgentTesla
+ 5'742 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230929-k7xrysae95/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
abed99881ce1e05907653d1697ae232575d0cf067fd5cc646e2e5ee9f7337c82
MD5 hash:
491a7170bd8a7ed81d03a64ff2598bdf
SHA1 hash:
8325a5bccba80878a14032c06b78b34db808b910
Link:
https://www.unpac.me/results/0880b465-276d-4907-8f24-0c941188737d/
SH256 hash:
7cbcdd51d9a52098d2e0de888e861b0d833f9a20b08649c2f57f5e6a3e03c5f7
MD5 hash:
07827262591e8b997c2782e2c5e2b880
SHA1 hash:
5de5f8a7515914f9161641f46a5c193f8b472797
Link:
https://www.unpac.me/results/0880b465-276d-4907-8f24-0c941188737d/
SH256 hash:
50c8eb6b7abe662fc6bd109d6c631e255a390cfc508b639e9aa8b03ce2b62019
MD5 hash:
1afdc8d1c6a2be496ce21c8581290869
SHA1 hash:
5c8a40f74b9cd3e473b9f62db66e6d3bdddefc89
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/0880b465-276d-4907-8f24-0c941188737d/
Parent samples :
5d1e3eddb5c1b6fbbcb136094098945e7db58322b8cf9d2b138e566a447a75eb
ffc7f44e4dd3a2456d2a2a25ab2dcd4ef93d584ffed994025f03ef3dd34d4c6b
8c9aaf55abdaf2a893d56dc0ff3f3e37ec100a6e0ad0adf82f2cff4997112e12
632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/0880b465-276d-4907-8f24-0c941188737d/
SH256 hash:
632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417
MD5 hash:
bf1b297357e3d9320e0d08c9bd2cbf22
SHA1 hash:
a7ea45c00e701298092e22d1b0dd988bdf22e671
Link:
https://www.unpac.me/results/0880b465-276d-4907-8f24-0c941188737d/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/632fe84dfca1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 632fe84dfca150a891d9aa68ba0fb7c8c1230879a05bb6ac1dc4d0538133b417

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments