MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216
SHA3-384 hash:	df34efa480b062785a3e84d5875ea80e897890f88130a893aa99a947a96f5aed358109bd037a11b907a690c3493bba6c
SHA1 hash:	fb0cd8108e1020e5d3e97423b60350e1d8ce063b
MD5 hash:	c8b1d37a3da721f6f73b95294e4eef86
humanhash:	delta-nuts-music-winter
File name:	PB2EF396HB2Z.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	17'920 bytes
First seen:	2023-06-21 11:30:32 UTC
Last seen:	2023-06-21 11:44:20 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	384:zbeYjX8Bq6k1a3wHaoEtKASIM7BMRaZsa2n0M7kVT1OOk6Jh51yq3Zj4:9XYq6k1ZHaXttmPjp1OUUqpj4
Threatray	9 similar samples on MalwareBazaar
TLSH	T172823C16B3948336EC5E4736ED72228003767B67B703EA2E8AC7654638633749F516B3
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PB2EF396HB2Z.exe

Verdict:

Malicious activity

Analysis date:

2023-06-21 11:32:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aa4244ca-4b85-4959-8c0b-8fd834d56a4a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/401341/

Detection(s):

Sanesecurity.Rogue.0hr.20230621-0934.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a file

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6492df7799f0c0cb09333572/reports/042ab33f-7fa0-4dd6-9c74-55f4ebc17d52/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8704aeb9-5e13-419e-8d73-8f26937b8071

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1258964

Signature

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216/

Threat name:

Win64.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-20 22:57:52 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 36 (36.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m3egtfexdgtesuhvvlzeu2d3as64opmgsatezlmimfywckptyila._file

Verdict:

malicious

AgentTesla

3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d

AgentTesla

3e24e97aba6e7432395abc346ee3484b9dbadbe803a046a84ea41529d6ed8c89

AgentTesla

4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9

AgentTesla

670bc9a86f72af2ab43a89c576a4e1874ce188b35a1f5656ea27f4b7ac3d5f09

AgentTesla

8ee291c9153a33f1f76ffd3c67d69162c6459cfde019634707339ddbf2793582

AgentTesla

a26842becdd6ced8f2b44de90122dbd4cc027348b569ef32703749bac877ca6f

AgentTesla

c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465

AgentTesla

e43e5c816ce04f8fa14c819ff2b5bfc02c03e27a4b0a6b85875ef11ea4d4489f

AgentTesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230621-nmpsdsgh72/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216

MD5 hash:

c8b1d37a3da721f6f73b95294e4eef86

SHA1 hash:

fb0cd8108e1020e5d3e97423b60350e1d8ce063b

Link:

https://www.unpac.me/results/3f7d14c4-c591-423e-86f0-ec13e80d9be2/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/66c869949719/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 6d23f275f23eb59ce83d71ebbb1bce6f7023cfe8c12bdcbc05433c12ac48c176

AgentTesla

exe 66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216

(this sample)

Delivery method

Other

Dropped by

SHA256 6d23f275f23eb59ce83d71ebbb1bce6f7023cfe8c12bdcbc05433c12ac48c176

Cape

https://www.capesandbox.com/analysis/401341/

Dropped by

MD5 19001d8db5889077cddc637d2b6a7e76

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample