MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180
SHA3-384 hash: 7ff40a29482880aa70104416cfffc78b87c19d048811d370b62236d6f233aeefe60cba014144deba88871959d7f805b7
SHA1 hash: 7ad5ae415a0ac333faa37809a8068cad4e1f5bab
MD5 hash: 5a76e002804aa167debb597cef8db057
humanhash: whiskey-lamp-ohio-pluto
File name:SOLICITUD DE COTIZACIÓN.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:659'456 bytes
First seen:2023-05-24 15:44:11 UTC
Last seen:2023-05-24 16:41:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:/2iN/H4q7AnlAYsHlh9H5whnW+GkyurSf7kc9:/1hH45nlAYkd/f7kc9
Threatray 4'193 similar samples on MalwareBazaar
TLSH T175E4DF572A6A8F62C57503FA4226E2B863722FA87273D3169CD3BCE3F439B425C05157
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla ESP exe geo

Intelligence

File Origin
# of uploads :
3
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOLICITUD DE COTIZACIÓN.exe
Verdict:
Malicious activity
Analysis date:
2023-05-24 15:45:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7171c56a-adbe-460e-8696-92425ac24a46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391211/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/646e30ffcf634b8f311b0b0f/reports/ddfdde5f-0c23-4d2c-9d7b-2f1567612b26/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4747718c-a3fe-492e-add6-d3f9ef502c0c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241813
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 874820 Sample: SOLICITUD_DE_COTIZACI#U00d3N.exe Startdate: 24/05/2023 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 2 other signatures 2->59 6 SOLICITUD_DE_COTIZACI#U00d3N.exe 3 2->6         started        10 HGkefwu.exe 3 2->10         started        12 HGkefwu.exe 2 2->12         started        process3 file4 23 C:\...\SOLICITUD_DE_COTIZACI#U00d3N.exe.log, ASCII 6->23 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->61 63 May check the online IP address of the machine 6->63 14 SOLICITUD_DE_COTIZACI#U00d3N.exe 17 10 6->14         started        65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 19 HGkefwu.exe 14 7 10->19         started        21 HGkefwu.exe 7 12->21         started        signatures5 process6 dnsIp7 29 smtp.all-tsc.com 14->29 31 api4.ipify.org 104.237.62.211, 443, 49681 WEBNXUS United States 14->31 37 2 other IPs or domains 14->37 25 C:\Users\user\AppData\Roaming\...\HGkefwu.exe, PE32 14->25 dropped 27 C:\Users\user\...\HGkefwu.exe:Zone.Identifier, ASCII 14->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 33 smtp.all-tsc.com 19->33 39 5 other IPs or domains 19->39 35 smtp.all-tsc.com 21->35 41 2 other IPs or domains 21->41 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Installs a global keyboard hook 21->51 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-23 15:45:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2ubnda6y4ah5tdpif7sn6yre7nvdxcwnaykawue4i276fkjygaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061f8abfc0e824b3fb3c45acdf6e050f942db15c8900b8a9f58c12286e68fe47
AgentTesla
09d70a9a22f7bf12c1a6354b1d90d426e1223576d27ba855f6f48d78bf508833
AgentTesla
2e122653f2f213fea66143fd3a80af76a38bda77fe06b9450d4ba795d98704d5
AgentTesla
345750d39c7d8b5faf43e95d7621ab0ea56fbd219a78befa08b3ed5099540dbc
AgentTesla
3c2846461941ebb9805092c18d217a5e78b74619e82f9bb21b2c11d59974cf03
AgentTesla
666a06dff871be2fc9c9d41c6151da13889fe3a78290af3299eeac4b4f758f73
AgentTesla
7f048d017967cde1d43163e9a65354823a8018663589e856a4a644833f6794bc
AgentTesla
a4c4fb8bc4629153ed1768ebc1255538df38a066522d48e101c8c97242359bbc
AgentTesla
e78333be3402a8425c18a63f6938fa2f861c877e362d6c679079c17d6ee18dd2
AgentTesla
+ 4'183 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230524-s63ktadf7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
dd9b6666493f488ba84321a3358298523ba6cc0e7e1b93802800b717d0d09453
MD5 hash:
5d1a28003c07e44f480d96991b85f7a7
SHA1 hash:
b8197fc05fdec7362b178a1b57177a3e0cc8ec45
Link:
https://www.unpac.me/results/3cc24f6d-a26f-48db-a960-6b282dea989f/
SH256 hash:
cb5ee4cfd7179a57298c02ce4ccc9c2ca6b0b310758a7320340cf0a40ab62f88
MD5 hash:
0dd66dbaf510e93ec00b9eadf5ec34b6
SHA1 hash:
b7e1b7bbf2d58cc03beeb7095ae98e03426f39a7
Link:
https://www.unpac.me/results/3cc24f6d-a26f-48db-a960-6b282dea989f/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/3cc24f6d-a26f-48db-a960-6b282dea989f/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a84609b98c557242964a8f921b6352a0fa82c31c17e7f59a028df4820991633f
MD5 hash:
5f804a491791cf86c1102e2dfe4bda99
SHA1 hash:
8366206bda8c57f7ee410bfaa46a452ac7cacf7b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3cc24f6d-a26f-48db-a960-6b282dea989f/
Parent samples :
061f8abfc0e824b3fb3c45acdf6e050f942db15c8900b8a9f58c12286e68fe47
66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180
8005c1f11765b2f062b741afe29c062901a5603959d8334ca14421a3426d7526
SH256 hash:
0c19acf7b4e0ab5e4f6b76aa4e9b0f9217f44affb85eebc68aa4f0037d2fced4
MD5 hash:
ca545bde93b35ce2d01897daea96fa0c
SHA1 hash:
625f40a9df109d24c934d3c464a6111aa53a8d03
Link:
https://www.unpac.me/results/3cc24f6d-a26f-48db-a960-6b282dea989f/
SH256 hash:
66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180
MD5 hash:
5a76e002804aa167debb597cef8db057
SHA1 hash:
7ad5ae415a0ac333faa37809a8068cad4e1f5bab
Link:
https://www.unpac.me/results/3cc24f6d-a26f-48db-a960-6b282dea989f/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66a8168c1ec7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 66a8168c1ec7007ecc6f417f26fb1127db51dc566830a05a84e235ff1549c180

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391211/

Comments