MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 685009598ad43caf98a36998b832e2e0b68bc79701837afc5911e8816cfe8b41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	685009598ad43caf98a36998b832e2e0b68bc79701837afc5911e8816cfe8b41
SHA3-384 hash:	f98a5ad237f74b30eea49a946358dd046c612470ae44217c1fdba9b0adcd4ccf0006b21b4605cd6d1e9525507c607cb7
SHA1 hash:	52a1a60b897688b22fbe8617fabbd152b2d65edf
MD5 hash:	8af257b8a3ff3fda1e212e88a4315381
humanhash:	orange-fanta-jersey-lima
File name:	9046- PA118- SUPPLY & INSTALLATION OF EQUIPMENTS OILFIELD EQUIPMENTS & SUPPLY.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	981'504 bytes
First seen:	2023-02-21 22:33:35 UTC
Last seen:	2023-02-22 00:40:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:0ZAzXkyLr2ayjh1eNIWl9S7IMJtEHccs8z5x6nCCguekw9mcqHxryA7MxZTWIG8u:0Eky9IISfJ+Hl4CvvfaBIPfa6da+uuM
Threatray	1'299 similar samples on MalwareBazaar
TLSH	T1A825BE9977B46073F9CB01FE5C38278C2D2026137509E36E9B77BB91A274AFB7294112
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	cocaman
Tags:	AgentTesla exe QUOTATION

Intelligence

File Origin

# of uploads :

# of downloads :

220

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9046- PA118- SUPPLY & INSTALLATION OF EQUIPMENTS OILFIELD EQUIPMENTS & SUPPLY.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-02-21 22:34:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6ff8abdd-61e9-41cf-ac66-eb4d5190ab4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368757/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230221-1636.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f546dbd385ee58584e6b0f/reports/c802cda6-eca6-449a-86e3-c163bc47c564/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/685009598ad43caf98a36998b832e2e0b68bc79701837afc5911e8816cfe8b41

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/89424b59-24b3-4e37-b160-76cc5228a93c

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1180151

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/685009598ad43caf98a36998b832e2e0b68bc79701837afc5911e8816cfe8b41/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-02-21 12:54:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nbiaswmk2q6k7gfdngmlqmxc4c3ixr4xagbxv7czchuic3h6rnaq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

45e3147f1b2fdcd97492b8bf95ca8f6b18493f395f1f8725a2cfad936391d4e2

AgentTesla

4c3086c7b54ad80ad5fc64db138390fed0936764f882ff2ef7aad23656e8897a

AgentTesla

b4edff8c4560f792c25771b018a69794f957964d4da9403062742c5f11e95052

AgentTesla

c50e616b405db7270d7834339e74dfafbb495ce8e36d0feef6ccd488b704671b

AgentTesla

c5cb50f2a9e4e82bab699a454bfd0370d9b0990edfe795c7e2903cc2369935b0

AgentTesla

fb50bb27d93d0f198dc7df0a806bf3e20e9f356f618d1c3d48d2fcbaa1726591

AgentTesla

+ 1'289 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230221-2g3nysag31/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/652a77a9-6fa7-4ae4-a2e7-5e372f275446/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

f11ca8a4ea5b7a7c2b982020fec273ab6246b75ad4c9e45fbd475eb0a1350c17

MD5 hash:

2a0a9f880a5fc4e16971fc0752b0854c

SHA1 hash:

84952dbf095679f3d5da366c6ef99f13136bb4c5

Link:

https://www.unpac.me/results/652a77a9-6fa7-4ae4-a2e7-5e372f275446/

SH256 hash:

8a503cbf1c570e30976186208e25ecc97a6c7bdb23a8101bd1050107680cf9e7

MD5 hash:

0c0531ae8e2b25c5c0272fcd45680159

SHA1 hash:

76cb7c9cea9f3712fd0fe22439c5769442ac754e

Link:

https://www.unpac.me/results/652a77a9-6fa7-4ae4-a2e7-5e372f275446/

SH256 hash:

b31da6ceaaacb35c2f67abdc9a8b604d715e442b6b9ca1eeebbbdea45b519b3c

MD5 hash:

7bbda7953caf96546936ec6df9ece28f

SHA1 hash:

5f42bfa075ff9aba06d4afd9798d752bbe1b121d

Link:

https://www.unpac.me/results/652a77a9-6fa7-4ae4-a2e7-5e372f275446/

SH256 hash:

23f5cd029f0f069ac1f0da0076a609239bcd6e338bebc5be26c81c71c337bfa4

MD5 hash:

3d80c9d944c5cb4b856e5dbc90b3f5b5

SHA1 hash:

00029210860105c94bc23ce9f14e6bea2a17dc19

Link:

https://www.unpac.me/results/652a77a9-6fa7-4ae4-a2e7-5e372f275446/

SH256 hash:

685009598ad43caf98a36998b832e2e0b68bc79701837afc5911e8816cfe8b41

MD5 hash:

8af257b8a3ff3fda1e212e88a4315381

SHA1 hash:

52a1a60b897688b22fbe8617fabbd152b2d65edf

Link:

https://www.unpac.me/results/652a77a9-6fa7-4ae4-a2e7-5e372f275446/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/685009598ad4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/685009598ad43caf98a36998b832e2e0b68bc79701837afc5911e8816cfe8b41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.