MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66ad671957356b0a979ac4ce68ade78f8ddfda2dabd4e1dc0b1ec68a1ac6dcf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	66ad671957356b0a979ac4ce68ade78f8ddfda2dabd4e1dc0b1ec68a1ac6dcf5
SHA3-384 hash:	6877c9ea604b4aa1e7383bad555bf034068aa230489961772ae5811f5759c828fa5684c9dc9943822ec3371327f27c5f
SHA1 hash:	68a593c534df9153f79a164a11c930d509684f1b
MD5 hash:	85230ca9ac36a964607c95e1ca852110
humanhash:	queen-oxygen-uniform-paris
File name:	BALANCE PAYMENT.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	666'624 bytes
First seen:	2022-10-21 05:34:17 UTC
Last seen:	2022-10-24 18:02:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:I0JjowpCQo4EGM2kfRL9doYyFjnQ0Bv9+EGvH7yNHH2gtZE100nX:1EVPGYyhHF+HWF2uM
Threatray	19'532 similar samples on MalwareBazaar
TLSH	T1CAE4E0BE5B444ED7CD2C997EC4A2916472F0FDAF1102F64E7D9320D90AE07DE8392896
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	dcc2ccecececc2dc (3 x AgentTesla, 1 x RemcosRAT, 1 x Formbook)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

BALANCE PAYMENT.exe

Verdict:

Malicious activity

Analysis date:

2022-10-21 05:37:22 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/0c2ea8dc-79cf-48a3-ad86-36432284dab1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322180/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.6790.4492.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63522f8766721ebd9b2f57c0/reports/56c7de64-05de-4047-ba70-c5b1c71531a9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6779e159-dad2-490d-99ba-ba3570141631

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1094632

Signature

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66ad671957356b0a979ac4ce68ade78f8ddfda2dabd4e1dc0b1ec68a1ac6dcf5/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-10-21 03:02:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m2wwogkxgvvqvf42ythgrlphr6g57wrnvpkodxald3diugwg3t2q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

91139b19c219a2cf3882f5bcdc6610a8691b079c05ecf7aadb1d461bee084266

AgentTesla

a0b715dbe6410280098b511f7cf95b466c14f15de32ed2cd79744d2ebd7ad8ff

AgentTesla

ab828ebbb7925536f94b2fe3f34100bdc8326589deb88e90dd3490893495f19c

AgentTesla

ad218fa84daf745d843662eb723957cf805e2ddb1043f0f0f1b67f6a6d02111f

AgentTesla

be06f8a3ed040aadf2598bc5a9b4c886c271ad7866505dba11b723dba968f518

AgentTesla

be82b725c643ac9d30a503f2fd615d9bcd38ed9f0edbe53082d5743ded65e327

AgentTesla

+ 19'522 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221021-f9z8msdhbm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c0586dcc-d491-442c-87ff-72f18b4af693

Unpacked files

SH256 hash:

e590ea69c4cb25b6267f395529ae988293e7cedd0ebe8bfcf0d98ae91e35bffd

MD5 hash:

61f9ac5773da429ada5bba98b13dfcae

SHA1 hash:

e9e8a04294a20f204238f339236ea74a1cfe2093

Link:

https://www.unpac.me/results/072b1227-5f92-4885-99b2-02255b4282c4/

SH256 hash:

79b61b9d0cd1652ed447ded8d8a820b3adc7e8ed06382bb4beba797ad10246f9

MD5 hash:

a7d4322a967f3ccc56dab11fd09b7cde

SHA1 hash:

646d3ad4d28d217def55b75134c4c154e31982af

Link:

https://www.unpac.me/results/072b1227-5f92-4885-99b2-02255b4282c4/

SH256 hash:

4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde

MD5 hash:

f4ba8570299eabf8fe2d02cc1dc0606a

SHA1 hash:

5d7add32313074f5a1e9b4ab379298dee8b6217e

Link:

https://www.unpac.me/results/072b1227-5f92-4885-99b2-02255b4282c4/

SH256 hash:

66ad671957356b0a979ac4ce68ade78f8ddfda2dabd4e1dc0b1ec68a1ac6dcf5

MD5 hash:

85230ca9ac36a964607c95e1ca852110

SHA1 hash:

68a593c534df9153f79a164a11c930d509684f1b

Link:

https://www.unpac.me/results/072b1227-5f92-4885-99b2-02255b4282c4/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/66ad67195735/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/66ad671957356b0a979ac4ce68ade78f8ddfda2dabd4e1dc0b1ec68a1ac6dcf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.