MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2
SHA3-384 hash:	093aec1a4e18d168a88986ab6a22832fe5f8903fa3a049473557d34f95cb6ba6763ff13765513fa9b663fd88fbb530be
SHA1 hash:	97273634ceb96c2400640ca2144c59f85df3112a
MD5 hash:	9087bc9972c4bbc61eef9927652a2f8a
humanhash:	echo-thirteen-robert-finch
File name:	DEBIT NOTE.pdf________________________________________________________________________________________.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	567'296 bytes
First seen:	2023-10-27 06:41:10 UTC
Last seen:	2023-10-27 07:37:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:9GhL+JzKj5XKDDwwO6thxMP0leJZOVDoY6wPk68meqV+:QhL+JzK5XKvG6thG0lPkYKT
TLSH	T16CC4125473FA5B71E6BE1BF49CF011045BB5B64EA9B0D26C4DEE10EB08A3B448690F1B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	cocaman
Tags:	AgentTesla exe INVOICE payment Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

151dd2c9-8755-45fc-99b8-205152113080

Verdict:

Malicious activity

Analysis date:

2023-10-27 08:29:35 UTC

Tags:

sinkhole agenttesla stealer

Link:

https://app.any.run/tasks/151dd2c9-8755-45fc-99b8-205152113080

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456656/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/653b5bba34de31f579cc066f/reports/8af30f84-465c-4cad-b461-b019f292ebcb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a5ecab9-5c25-4c54-abba-1310febe3473

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1333123

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-10-26 02:57:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mt4e3tznrljvgvdz3zkp27iv5sraace3ah25jk7iv2eatzmgepba._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231027-hgb2fscf81/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

AgentTesla

Unpacked files

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/056e0ce0-f59c-4687-8b39-bc31abef5fed/

SH256 hash:

baee42cc09eb8a990875b6b5e4f132c8b36b3d627309ec7746a013f8e7aa6e59

MD5 hash:

fe49381b50ffc8a74df5bd1413b25143

SHA1 hash:

821cb4dab9c79cb51e522c1c910ec2a2933da7e2

Link:

https://www.unpac.me/results/056e0ce0-f59c-4687-8b39-bc31abef5fed/

SH256 hash:

2a8017fdd503fafea922ea9e2ebdd7948e8c83f792012a7712b4c386af1a1903

MD5 hash:

0ffc63965b5a4dabaf2c7b4325d5442b

SHA1 hash:

807d89da697a4153c67da85854f75c2d0e76e7c4

Link:

https://www.unpac.me/results/056e0ce0-f59c-4687-8b39-bc31abef5fed/

SH256 hash:

c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89

MD5 hash:

8560712e92050b126209625784bac522

SHA1 hash:

31ace913c80581487089a4ce88a03616cda905ed

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/056e0ce0-f59c-4687-8b39-bc31abef5fed/

Parent samples :

d9c02f3e9cc894fd55747ee2c449c1c40c2906d9fe1134994593eb0e81589a30
28657acf0a25a10979f1f7df41780b42fbeef920272067f9345f7a6a4788f889
3b0760dbe7dc9ac6a2cf5971ddde67c51e57bc973995cf641de226409b537817
930ac5c7da662a0118aba6fa78aeadf706ed8b5ab98e03b94dbd04991dfd2b7d
c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89
f8105fdfa774017614ec9aa30084a2a6645456c05704896fc972dd5d0c99ec76
ec57c2de3349840ec8ac00000c964ba5c68cda5b954f6ea4ca3ced7098257286
ddf7770047bab26cd3cc7752df568dda1b03789739ed404e3c5143bf0abba51f
9edefc168186e3a7ea6785affc672f91cbe4f592d4b84c75435866f16eddc82b
4f14ea5723dc55b7fc4a76f7bc7f5a834a16f531d8d47342b9a64a79678d417b
bb5557412213a1e283b548c6cd1da5c5848610756cd98352e6a77bb7ae952839
208319e004a6786ea50aacc67797171f4f4356f232bbf2e99c91cdbbe48c7624
5ab2ba45e2190d5a88041adb9a7be32bebe71a846832bba6efde116531d087c2
f4f24561c696372a62370c947fdecb96cfa6162711718f79a2c2e07836b69c80
4c2cbc5a9ebf7ef6269d1b0533da551b9e1bd419d0e8626db602ea0f77ae8f08
600d4ce1088af7290d2e4096db034af9eca3431a7942073dc485788a538a0747
b5169b6fa30cff601e0f3473f0a95006767553560753831f4e7f365758011433
ad2a1e6ea8fb128c76cafb20b9eae42b641ba5bf8932ac1867a8e3c51889192a
00ec18a18e5816731a60f69bcbe7c9296ae4084e5e390e8b545d475e1a37c7d9
a9bfb74e882c289a3fcbdc104411229292d0127efacffda9beb22206f58630aa
d65ba38b65d9ef5515d49a13be05cbdc0094c25a6ae4823935bc6f838de759a7
fcd2ed1088d64779e16e5134652d8360212e613b75c6cd5929216cabe27cfeeb
e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59
0b675485123aef301b8f33a5ebca2b1dfb12c7bffcdc7331dc16615c9d6b0495
e108137aa0469b5a1affc9d86a92e9e844a9540d9082ca5511b67de114310f88
ac04f04d01ae5428a8017be37d7d1352ad3212852c259d1a0e2f775969ecc36c
768ad01a4a10350c639160a41fcb2e08e108cfeddb993cb2535bc1804fdd1a3c
ac4ba0aff57a411df5eabcec6b1ab5cff2ff47dcf578fdce74be6cd3405b626c
a92454653447052d1a4d2342adeae2ae74a0499868a6fbd7834773b47b368cb7
c7834a1e61260b87156453c5281e2dc6f922d6ffdced1cec6ad2c5507680fa17
66d429595734624fc9610dff9b019f6b1687865f7197094a6102ced753453f9d
b6ae3f27029900241bf6ecd397a0686061db57ce48df21098bc27d365fc3139f
b0f78bdc2bfc668fc39e8735344d5c6ca8f78290132b70734c76dbf436c41c44
52c04c41fc17f8f05d233e2b9403fcebc3ccb8fb1b4e7d776a9b7db78d4fa980
c94c3741876b0ec763fa759b91c10d941c12626e84ef0d43c6c64cec7959f4f8
38468ab187452cb5bb9572bfe5b111449b8daa66678cd67396f8d5ccaaa382a4
e774f64c2078e0b89fa7a65590044e70212823f02b0300636deff0ccb5a36971
d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1
cb7de7bc680acafc54395cc399b1a38c440424738270c4bbd005b4a13229fc39
cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2

SH256 hash:

64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2

MD5 hash:

9087bc9972c4bbc61eef9927652a2f8a

SHA1 hash:

97273634ceb96c2400640ca2144c59f85df3112a

Link:

https://www.unpac.me/results/056e0ce0-f59c-4687-8b39-bc31abef5fed/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 5b67e491f773b5d8f0cb5e8809b23d8a79d7ca17cc8c5341066e109f4c2dce5f

AgentTesla

exe 64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2

(this sample)

Delivery method

Other

Dropped by

SHA256 5b67e491f773b5d8f0cb5e8809b23d8a79d7ca17cc8c5341066e109f4c2dce5f

Dropped by

SHA256 ae4df0469791475d054b855d85cd7fbae2b1a92bf75f276b93ce18150117d85b

Cape

https://www.capesandbox.com/analysis/456656/

Dropped by

MD5 074b5b6db982008b3591d54c9ab166cd

Dropped by

MD5 1ec5a7cd2dbff3f5e867c55f10e25ca3

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample