MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef
SHA3-384 hash: 4c62ff683332444e5459ed4c06f467f67eafd7bf9340b1322a3c4123ae10ecca420ea32482c60afbece1c8db9f5aff74
SHA1 hash: 1a0059739568e3254fef3c605817dfb0787e61de
MD5 hash: 3b68d6819644f2b0584e5aed75085e13
humanhash: asparagus-zebra-comet-magnesium
File name:1026 PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:302'378 bytes
First seen:2023-02-21 08:52:46 UTC
Last seen:2023-02-21 08:56:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya60GkLeS3XalLvnwxLd5R9ILo0mDh980CRlxMP8SgdFUFiI+:/YqGkLetlbw9dTKhmP80EMPEdGFiP
Threatray 3'303 similar samples on MalwareBazaar
TLSH T18D5412487794C133CCA286711D79B71679B2C8290A74474F2B205B2DB532BE6E67F3B2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
3
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1026 PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-02-21 08:53:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c508014-72c5-4bf7-9dbf-95686e121eae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368571/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1312.1407.31208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71919/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nemesis overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f48671b53d126ad263580e/reports/b6f16204-902f-4573-ba1c-eee211b0925d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d8d5615-d570-4633-9ef6-fc7ada5e07b0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179611
Signature
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 812444 Sample: 1026 PDF.exe Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected Telegram RAT 2->55 57 3 other signatures 2->57 7 1026 PDF.exe 19 2->7         started        10 kgpyuenj.exe 1 2->10         started        13 kgpyuenj.exe 1 2->13         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\hrchz.exe, PE32 7->33 dropped 15 hrchz.exe 1 3 7->15         started        59 Multi AV Scanner detection for dropped file 10->59 19 WerFault.exe 3 10 10->19         started        21 conhost.exe 10->21         started        23 WerFault.exe 10 13->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 35 C:\Users\user\AppData\...\kgpyuenj.exe, PE32 15->35 dropped 43 Multi AV Scanner detection for dropped file 15->43 45 Detected unpacking (creates a PE file in dynamic memory) 15->45 47 Detected unpacking (overwrites its own PE header) 15->47 49 6 other signatures 15->49 27 hrchz.exe 17 8 15->27         started        31 conhost.exe 15->31         started        signatures8 process9 dnsIp10 37 api4.ipify.org 64.185.227.155, 443, 49713 WEBNXUS United States 27->37 39 api.telegram.org 149.154.167.220, 443, 49715, 49716 TELEGRAMRU United Kingdom 27->39 41 api.ipify.org 27->41 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->61 63 Tries to steal Mail credentials (via file / registry access) 27->63 65 Creates multiple autostart registry keys 27->65 67 Tries to harvest and steal browser information (history, passwords, etc) 27->67 signatures11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 02:33:28 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sddwvslcc3ovmawnrxsxdkrwwqtfhyaa47emeu22aiqzckglmtxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bd6d3905b8463f23246c3b7953239277f0ffbf0096367ca02dce1cc38cc4e27
AgentTesla
30940d9b877543d2ccfc9a1b800a2459d0acb9b832a10766ba27692d70c9fc20
AgentTesla
5b8c0c56e48b1a5046c75da4416a009d3c9e00ab046223139551ba6c7126e4a7
AgentTesla
90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef
AgentTesla
b8d747db69fac284ccfeab921f8e06b6403763914b776ff518e6d3643ed9056d
AgentTesla
dec27cdadd52f7d2264eb50ecbae1d43313c917594d9c4b93ea936b556f05902
AgentTesla
eda76d518118e4843804277202fb22ac8239f7231775f411d0b36c2980919786
AgentTesla
+ 3'293 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230221-kta12aeb94/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5662683474:AAFvSjyPXTiwhBPcFi8of3_-_FCdfhhN8x0/
Unpacked files
SH256 hash:
1503a58eb885768562fc313bcb1e257d18357fbde776a97913d5d57bd19eb1a1
MD5 hash:
50bee87ae5c927216281cb79ed14bff5
SHA1 hash:
f13f4c3d14601a9551f14339456e8285cb65b638
Link:
https://www.unpac.me/results/12710c60-c761-459e-bf9e-e9db4bb7bbb4/
SH256 hash:
99ebf6529b6eae9e54062e771a791ba7205c7f9aee7161538dfc9c1b35908e5f
MD5 hash:
6fa7c18268d33c2e95f98ece71395070
SHA1 hash:
a7ba7222d6d941ff1c4de4be6ce59d6d9749222a
Link:
https://www.unpac.me/results/12710c60-c761-459e-bf9e-e9db4bb7bbb4/
SH256 hash:
8af8911846a277798968f3b36b967339e0987209ffdd5d19b6a82f958aefd288
MD5 hash:
15ff2fff664e6162fe28003d89fec98d
SHA1 hash:
5a63e33287571420ca776c8e931ca0a95300f2b7
Link:
https://www.unpac.me/results/12710c60-c761-459e-bf9e-e9db4bb7bbb4/
SH256 hash:
90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef
MD5 hash:
3b68d6819644f2b0584e5aed75085e13
SHA1 hash:
1a0059739568e3254fef3c605817dfb0787e61de
Link:
https://www.unpac.me/results/12710c60-c761-459e-bf9e-e9db4bb7bbb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 9ea088337b6bf5f10380643b211ab858b4b3223eb81961a6f52e4c7bbe5db355

AgentTesla

Executable exe 90c76ac96216dd5602cd8de571aa36b42653e000e7c8c2535a02219128cb64ef

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9ea088337b6bf5f10380643b211ab858b4b3223eb81961a6f52e4c7bbe5db355
Cape
Cape
https://www.capesandbox.com/analysis/368571/
  
Dropped by
SHA256 a116bf0fcb90808f31dbad60ea3618bc9d7d82529539aa14e0e03c00ae8f7244
  
Dropped by
SHA256 ab39fb0221964aa2b481a4a1c92d1076d2b1e22afcae8d340dabae039fff9ed9
  
Dropped by
MD5 dd5b2db08fb4c5353dfd4edb8b636647
  
Dropped by
MD5 07b0f1d0150f2e1fc833052cbbeb21fd
  
Dropped by
MD5 dfc4749b86cc28adcf79213218c05d23

Comments