MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96abbdc6d2b0db258fca1d72a5b471bb7948e4fa083c29856a8091ab58102d59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	96abbdc6d2b0db258fca1d72a5b471bb7948e4fa083c29856a8091ab58102d59
SHA3-384 hash:	e50dabaf878289487dc2c976773f37ce752b161f242cab43d6b2d70bd4a5fab8968c9e1c77c2494775e9e693aa22e351
SHA1 hash:	6218e8695bdf5554c7e68346530d7d25bacd21dc
MD5 hash:	4281785b24e8bb2e95002f8419a764e9
humanhash:	ten-washington-quiet-vermont
File name:	Quotation.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	980'480 bytes
First seen:	2021-05-08 06:43:22 UTC
Last seen:	2021-05-08 07:01:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:HKVbX4CZn24UU69S9Q1RW9bPPRvCNBDCfLc:qVT/bpd9QmJHENgLc
Threatray	4'610 similar samples on MalwareBazaar
TLSH	21259CC59E8ABA1EC42EB771301180FCD3A36D2251CDE7D65BCBFDDA9B6368041916C2
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/152996/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/718064

Signature

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/96abbdc6d2b0db258fca1d72a5b471bb7948e4fa083c29856a8091ab58102d59/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-05-08 03:09:28 UTC

AV detection:

9 of 46 (19.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s2v33rwswdnsld6kdvzklndrxn4urzh2ba6ctblkqci2wwaqfvmq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3455716f81e993173ef1e17b90f9233f70e6ce36a735ca19c40dcf816fc389ce

AgentTesla

35a971b8e884d2d443a0d998e1f5c86cac85fe32af0eac3ba3bd518580f26678

AgentTesla

3fa40179e35abee79981eaad63f79962d9fdaad9685fea8380f04b98384e070f

AgentTesla

76184a1554ddbb339b8df5b47538c78621c515fd4825302f94879f781148db4c

AgentTesla

8ccb27d2627b5288f5eadd11fd64cc8a849bf587bac68d5a6699361c9f0684a5

AgentTesla

9a584e401113a22fcaa9c2b2265944fbcb38b53764e7c0c827003d0cfccc63d0

AgentTesla

9b673be5e2878f552738a2fa3c4a776c762e8686a5156be1feeb7b4e947fea2c

AgentTesla

9b74576bc83aa22f65c9b435e033c44c34ce65eca5e06ebfeeec399d2f8244a2

AgentTesla

ad0ee0f333050747c487196146dbdc43a4c59817120ed78b73835b3fc0f372b3

AgentTesla

+ 4'600 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210508-d7qeb6w32j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/3c0cad2c-c433-4301-a8ae-632a9fcb2b23/

SH256 hash:

96abbdc6d2b0db258fca1d72a5b471bb7948e4fa083c29856a8091ab58102d59

MD5 hash:

4281785b24e8bb2e95002f8419a764e9

SHA1 hash:

6218e8695bdf5554c7e68346530d7d25bacd21dc

Link:

https://www.unpac.me/results/3c0cad2c-c433-4301-a8ae-632a9fcb2b23/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/96abbdc6d2b0db258fca1d72a5b471bb7948e4fa083c29856a8091ab58102d59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/152996/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample