MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1
SHA3-384 hash: f0b0f5e3eb9a5310428042748b1b67142ff62889b8b6a6dd3fc1730629f78cf8d85090d20fbf29eb9a20c847bca68d32
SHA1 hash: 8720244a6cd6eea65700a25e09e53f900c03228c
MD5 hash: 19e9410758387208ccf11e3d40db746b
humanhash: ink-timing-blossom-jupiter
File name:EACTS sample product requirement 24th october 2023 pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'488'384 bytes
First seen:2023-10-24 06:57:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:2Jfq6F1DqrTlokppgnT3rLH7c4Tm+KrobuZWdLSSOLQOpQ4Z/Pmd6T9ufQ4UOrAa:gS62ynT7LHGobuZeLdwQFfQ4UOrAor
Threatray 21 similar samples on MalwareBazaar
TLSH T12165A703FA5789A3D1491737C5EBAB1603A5DBA07623E70E354F236A08C33B66D4572B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
EACTS sample product requirement 24th october 2023 pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-10-24 07:01:46 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/f81d733f-58aa-46cf-9f80-9a5bc87dd9dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455898/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.23856.27622.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin packed
Link:
https://www.filescan.io/uploads/65376afa2b74b3f20dd9519b/reports/6204ff2c-eeed-4ccd-a726-ca771f363fe2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CinaRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81c3761b-a586-49f6-9c29-26f939b866e6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331084
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331084 Sample: EACTS_sample_product_requir... Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 93 mail.dayanbiotech.ir 2->93 95 web.fe.1drv.com 2->95 97 4 other IPs or domains 2->97 101 Found malware configuration 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for dropped file 2->105 107 11 other signatures 2->107 10 EACTS_sample_product_requirement_24th_october_2023_pdf.exe 16 6 2->10         started        14 Mvcmjqb.exe 14 4 2->14         started        16 Micosoft Excel 2020.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 91 C:\Users\user\AppData\Roaming\Mvcmjqb.exe, PE32 10->91 dropped 133 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->133 135 Creates multiple autostart registry keys 10->135 137 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->137 145 3 other signatures 10->145 20 EACTS_sample_product_requirement_24th_october_2023_pdf.exe 1 5 10->20         started        25 cmd.exe 1 10->25         started        27 EACTS_sample_product_requirement_24th_october_2023_pdf.exe 10->27         started        139 Antivirus detection for dropped file 14->139 141 Multi AV Scanner detection for dropped file 14->141 143 Machine Learning detection for dropped file 14->143 29 cmd.exe 14->29         started        31 cmd.exe 16->31         started        33 cmd.exe 18->33         started        35 cmd.exe 18->35         started        signatures6 process7 dnsIp8 99 dayanbiotech.ir 5.9.154.209, 49721, 49742, 49743 HETZNER-ASDE Germany 20->99 87 C:\Users\user\...\Micosoft Excel 2020.exe, PE32 20->87 dropped 89 Micosoft Excel 2020.exe:Zone.Identifier, ASCII 20->89 dropped 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->113 115 Tries to steal Mail credentials (via file / registry access) 20->115 117 Creates multiple autostart registry keys 20->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->119 121 Adds extensions / path to Windows Defender exclusion list 25->121 54 2 other processes 25->54 37 Mvcmjqb.exe 29->37         started        40 conhost.exe 29->40         started        42 Micosoft Excel 2020.exe 31->42         started        44 conhost.exe 31->44         started        46 Mvcmjqb.exe 33->46         started        48 conhost.exe 33->48         started        50 Micosoft Excel 2020.exe 35->50         started        52 conhost.exe 35->52         started        file9 signatures10 process11 signatures12 56 Mvcmjqb.exe 37->56         started        59 cmd.exe 37->59         started        109 Adds extensions / path to Windows Defender exclusion list 42->109 111 Injects a PE file into a foreign processes 42->111 61 Micosoft Excel 2020.exe 42->61         started        63 cmd.exe 42->63         started        65 Micosoft Excel 2020.exe 42->65         started        67 cmd.exe 46->67         started        69 cmd.exe 50->69         started        process13 signatures14 123 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 56->123 125 Tries to steal Mail credentials (via file / registry access) 56->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->127 129 Adds extensions / path to Windows Defender exclusion list 59->129 71 conhost.exe 59->71         started        73 powershell.exe 59->73         started        131 Tries to harvest and steal browser information (history, passwords, etc) 61->131 75 conhost.exe 63->75         started        77 powershell.exe 63->77         started        79 conhost.exe 67->79         started        81 powershell.exe 67->81         started        83 conhost.exe 69->83         started        85 powershell.exe 69->85         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 06:58:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2vjc3bhchgf5uyfdhdueho4nm55sgxxugn5r6tejgc43ljsoxqq._file
Verdict:
unknown
Similar samples:
00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5
AgentTesla
02522d0f348287c34fe5151fcd556f2f9fb9efe532af705638ea0f2a39dd2434
AgentTesla
2f06ccf1497fddb1e349f0a3b35126cf2af0ffb5753558cae54cb3cc1368bc0f
AgentTesla
37d9c4e523e17ea2111fa669884bf215b4103ebaa1b3cf93fa0b7cde3bbcef63
AgentTesla
92f94ba0c124a7a8158ce117d838c026035116e2ab2565ebc437575ddf87eeea
AgentTesla
b0b649dec72a9272fed5d4b7bae97ee80ea37044aea6e2fbcf94923b54c792d9
AgentTesla
c5bf13f324052f8e3240024494c7c4bf809e3c423a59fabd0cd067e01a990ee6
AgentTesla
e3918d1a379ce63babeab599ef8897ce97001017680702dfc8b5ca8ff1808b54
AgentTesla
e7ee6803b3198f660de53f1dea2b7e005d640829b246f6ef97583c61276a9ac0
AgentTesla
+ 11 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231024-hrha8abc9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1
MD5 hash:
19e9410758387208ccf11e3d40db746b
SHA1 hash:
8720244a6cd6eea65700a25e09e53f900c03228c
Link:
https://www.unpac.me/results/4e9cb39c-f95e-4e96-9204-c5550e1e403f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/455898/

Comments