MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae
SHA3-384 hash: b3cafa98d27b68aee473644594a9f3a595edc9d5ad78fc9aa130d81edc93ed84d8001da5572c527f0bcc9fb9c5a722df
SHA1 hash: 50167ff3317db441254aa5ea81f1572467a7a2fa
MD5 hash: bd9d1d7c7ef91201f3e3b2517ffac7f8
humanhash: alanine-muppet-lithium-wyoming
File name:ORDER PO.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:660'480 bytes
First seen:2023-07-25 18:34:28 UTC
Last seen:2023-07-26 05:01:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8XPZJuF0A1+1xo53y+aacZMPkCjowfO+8f82AvKhAaC4ILyxxyUkgsSnLud:OjAg1G57WZMPkCD8f87v8AOPx3kgsOKd
Threatray 521 similar samples on MalwareBazaar
TLSH T138E4126173EC9B16C97E57FC1A6184000BF0AABB8531F60C6EDC52F64E21365D782BA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2d6dbd754d4d71b2 (8 x AgentTesla, 6 x Formbook, 1 x SnakeKeylogger)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ORDER PO.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 18:38:35 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/d81eb243-08b0-4dbb-963e-1d583d470feb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/433092/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10529.19722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c015d942d86ce7e10c2286/reports/55c67ba9-868a-49c1-94d8-7c364087a324/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3132528a-0d22-4002-b617-4f5685f0a36c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279459
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279459 Sample: ORDER_PO.pdf.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 5 other signatures 2->55 7 ORDER_PO.pdf.exe 7 2->7         started        11 fKLLEkWLXtcnKj.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\fKLLEkWLXtcnKj.exe, PE32 7->31 dropped 33 C:\...\fKLLEkWLXtcnKj.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp1776.tmp, XML 7->35 dropped 37 C:\Users\user\...\ORDER_PO.pdf.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 ORDER_PO.pdf.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 fKLLEkWLXtcnKj.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 sgbumperscar.com 119.17.253.214, 49699, 49701, 587 NETNAM-AS-APNetnamCompanyVN Viet Nam 13->39 41 api4.ipify.org 173.231.16.76, 443, 49698, 49700 WEBNXUS United States 13->41 47 2 other IPs or domains 13->47 69 Installs a global keyboard hook 13->69 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 mail.sgbumperscar.com 21->43 45 api.ipify.org 21->45 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->71 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 16:22:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfxgdvdd32njo25acs7ncxi2mj6jmrgrv2aibkq347oc4a5m6wxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
143a0fddc3af51f26980672385b2f8102d1b8cc473c285cc5ec40dc6c642c4a2
AgentTesla
1fbe5f912ec66d5c25ad0684a7fc431d87d9f04b47d45418d18821c1f29cdf06
AgentTesla
23b6e6ddaf2fff34828dbbba29c5d6315d78a6660236d5fd0da7d8322c3e6f1c
AgentTesla
2c738c2b15bab621c7f94261438463073c45ec6b30c922bf65d7857e177ee1cc
AgentTesla
660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1
AgentTesla
9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c
AgentTesla
9e6e021c6deed0f7538b92df6a47667f2c52919628fa4886c6948860720f9214
AgentTesla
b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9
AgentTesla
d254597f97b77a7c2e13c980947c0b19a24f21cea9226826c2a9bd13d7a5e335
AgentTesla
+ 511 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230725-w8dk9aff6y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/a4d0b6cb-22b3-450c-9ac9-ab78d0d72134/
SH256 hash:
47035e8eeefd2ee373a1472834a4f230681857a2eadae587e9e348c64daf18b6
MD5 hash:
faae1179e7326f9277cd6dae25fa140c
SHA1 hash:
a97eb643280a9c4986e06e6a19cf3109d89ffa86
Link:
https://www.unpac.me/results/a4d0b6cb-22b3-450c-9ac9-ab78d0d72134/
SH256 hash:
df4fa0727d5def9696a4a8857a013d2e14fa2383eeddff073359eceb3046618d
MD5 hash:
75651f9a87235401a723cfb9c448d453
SHA1 hash:
69028f015d0ff99258157e13d0a211d8b8efcf5f
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/a4d0b6cb-22b3-450c-9ac9-ab78d0d72134/
Parent samples :
696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae
ab701ac288408c45b6a0d0d7cc7f71b44309cd32b64544a3244511098ee20bf6
SH256 hash:
b9a20d6a037273d22acfef040a5ee5eaf300f8ed3cfa174ef8a7c400b3753105
MD5 hash:
f2ddeb90f1d02f7f07a7d4784907f037
SHA1 hash:
03ecca6a926462f1559c29e0d59dd99ed62b60fa
Link:
https://www.unpac.me/results/a4d0b6cb-22b3-450c-9ac9-ab78d0d72134/
SH256 hash:
696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae
MD5 hash:
bd9d1d7c7ef91201f3e3b2517ffac7f8
SHA1 hash:
50167ff3317db441254aa5ea81f1572467a7a2fa
Link:
https://www.unpac.me/results/a4d0b6cb-22b3-450c-9ac9-ab78d0d72134/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/696e61d463de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z da0f4abf966401585d93c76714deaed1852f117fc059f5df4a84b7b6515ef822

AgentTesla

Executable exe 696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/433092/
  
Dropped by
SHA256 da0f4abf966401585d93c76714deaed1852f117fc059f5df4a84b7b6515ef822
  
Dropped by
MD5 6bfbc0e4749eb4b49392dbe1c1bb86ab

Comments