MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d
SHA3-384 hash: 6f48e33a2b5df49c0717a40459b72df6407cf9e4f547fc1dabcda7fb6d7a8ff13e30cf5c5e844edc7424a2733151a14d
SHA1 hash: 992fae5e93c2f7b550abb5db1b0bf64741aa72f7
MD5 hash: 9ba1a3c19d8c3536f29a4837ac5ff8ca
humanhash: shade-ceiling-fillet-edward
File name:คำขอใบเสนอราคาและคำอธิบาย.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:565'248 bytes
First seen:2023-04-25 15:42:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:FA7aFbEdL712e+fphPb5prIqkK1s3+5I+ajT0QM:FA76b/BhtR1m+5vaP0N
Threatray 2'577 similar samples on MalwareBazaar
TLSH T131C41290526BBAFADDCD277B49602599437170835029EB3C97E08ACDCE42F4BDF4126B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4e22964caece4e8 (8 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384860/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6447f507f61aa38da9fbd07e/reports/a6a2d5f9-fabc-444e-9a0e-dd8ec3e0efc6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/389bbb1c-bf6e-4630-9fd5-425253609f1f
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220868
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 02:59:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nggyfkm7rv6glomlv63dneh5ktbmu72czhy5teeasuuvxnwijzwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394
AgentTesla
497f1767839d62e5bba3a33a89841eb2fcd196bd743014b6c5ede55d6a3eecd3
AgentTesla
4be412cab845dfa0a80431b758bf2196708522eb4d6d118103cfa56a0d967fbc
AgentTesla
4f3beb04e0d4713530c2f9c369c300186ab01d902f060a904e5648490e8ba708
AgentTesla
6ff86780faf33da714a11fec5aa9c9eb1cff9d4ca221303e2cc3dd1847526926
AgentTesla
a0fbf510a0ad55765026894b11a642401ba689147ac093aac30ddcb8d3f2988e
AgentTesla
c6930aedb822a6dc5f7f7956e1e6fac29f18e045c92c1634eedfba7ec9bd138a
AgentTesla
c7db7fa3a5aeba74a3733ed0d0c3a8007c973c122ee73ac0161c2e56d24d1f07
AgentTesla
ede7c3298192739d0c3188ca21b1377bffae0d2a5e7f3ce88ac10f2da8858483
AgentTesla
f41e8435ed94d40a0225a5f411991f630f1db80fb2df805da76449bf52889ad1
AgentTesla
+ 2'567 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230425-s5w2msbb85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
523fcf9b44478c4e0bd95b2fd7de7de16774046dd2a437da5cd267b0766b6c9b
MD5 hash:
d461844e084f189640cf4bd0253423e4
SHA1 hash:
ef4d3f940dee34be37277b8846b0ce40c2f4955c
Link:
https://www.unpac.me/results/9bd621c8-ac3b-4b87-8e8e-8eb5612f787a/
SH256 hash:
e53f83a02cf8da756d6dca924a5e5fcd6e521778069419538465a63e8691fbe3
MD5 hash:
736687045739c888f288cf8ce83cd575
SHA1 hash:
90cf5ea5a39778ce40d2a53e6816096a82bd63f7
Link:
https://www.unpac.me/results/9bd621c8-ac3b-4b87-8e8e-8eb5612f787a/
SH256 hash:
935cd9f3b1e5d1a13f21f3ed459b648c29e496d94af4eb519c261206c9fac7ce
MD5 hash:
7e3d3ad62a888220491efe2f59290bc6
SHA1 hash:
79f729224924f3f7564c607649ffbdd2db9dfb98
Link:
https://www.unpac.me/results/9bd621c8-ac3b-4b87-8e8e-8eb5612f787a/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/9bd621c8-ac3b-4b87-8e8e-8eb5612f787a/
SH256 hash:
848e5801501161c60ffd611afdb5550a4954b8a52beaa8c366bd71dfdf3e52f1
MD5 hash:
adbcc989437dfc478a8fa41a484ceb50
SHA1 hash:
258a487116d09ada36388ade4cff20a344090e65
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9bd621c8-ac3b-4b87-8e8e-8eb5612f787a/
Parent samples :
c7db7fa3a5aeba74a3733ed0d0c3a8007c973c122ee73ac0161c2e56d24d1f07
f41e8435ed94d40a0225a5f411991f630f1db80fb2df805da76449bf52889ad1
698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d
SH256 hash:
698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d
MD5 hash:
9ba1a3c19d8c3536f29a4837ac5ff8ca
SHA1 hash:
992fae5e93c2f7b550abb5db1b0bf64741aa72f7
Link:
https://www.unpac.me/results/9bd621c8-ac3b-4b87-8e8e-8eb5612f787a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/698d82a99f8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 698d82a99f8d7c65b98bafb63690fd54c2ca7f42c9f1d9908095295bb6c84e6d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/384860/

Comments