MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96c34292c35dbb15c36078c6645e2ac7938aeae168167e1493b4e8476c20d3b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96c34292c35dbb15c36078c6645e2ac7938aeae168167e1493b4e8476c20d3b8
SHA3-384 hash: 72384f81a28d23820fa691057f72bb3fc81861b85471ace2619feb2ad38d8831c65e48e051b776f294c498372c071b6d
SHA1 hash: 9a905311c7bf80468550eff4035f2a81fab7e59e
MD5 hash: 6116190492bf5bd78257e20b863672f6
humanhash: quebec-skylark-apart-pip
File name:MV AMIS WEALTH CTM USD 40,000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:495'616 bytes
First seen:2022-01-24 12:48:57 UTC
Last seen:2022-01-24 21:15:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xoAQa7iIxf3jz+BbBw9whPnBWIh798f3DtQMID:WDaWIxvjzyU4IIh7uf
Threatray 14'278 similar samples on MalwareBazaar
TLSH T19EB4015972D876AFC46FCE7ADEB01C11D37074695317DB43A54B229E884E78B8E00AF2
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221936/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.17944.31501.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/61eea043f81da814af9fe44e/reports/2416b9b8-e4a2-4ca2-b81b-c18cf21aad70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6cb9dc0-30ed-42dd-8a72-e163d782a8ea
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926317
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558795 Sample: MV AMIS WEALTH  CTM USD 40,... Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 14 other signatures 2->59 7 MV AMIS WEALTH  CTM USD 40,000.exe 7 2->7         started        11 NXLun.exe 2 2->11         started        13 NXLun.exe 1 2->13         started        process3 file4 33 C:\Users\user\AppData\...\DaxaGTTfiBVxRn.exe, PE32 7->33 dropped 35 C:\...\DaxaGTTfiBVxRn.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9BE3.tmp, XML 7->37 dropped 39 C:\...\MV AMIS WEALTH  CTM USD 40,000.exe.log, ASCII 7->39 dropped 61 Writes to foreign memory regions 7->61 63 Allocates memory in foreign processes 7->63 65 Adds a directory exclusion to Windows Defender 7->65 67 Injects a PE file into a foreign processes 7->67 15 RegSvcs.exe 2 4 7->15         started        19 RegSvcs.exe 7->19         started        21 powershell.exe 25 7->21         started        23 schtasks.exe 1 7->23         started        25 conhost.exe 11->25         started        27 conhost.exe 13->27         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\...41XLun.exe, PE32 15->41 dropped 43 C:\Windows\System32\drivers\etc\hosts, ASCII 15->43 dropped 45 Modifies the hosts file 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->51 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/96c34292c35dbb15c36078c6645e2ac7938aeae168167e1493b4e8476c20d3b8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 09:55:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3bufewdlw5rlq3apddgixrky6jyv2xbnalh4fetwtueo3ba2o4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0036b6f019b571fa34832f001ed1272c9e62d0601566aaee332115e9ae8e01d7
AgentTesla
179a6b78ee77a7487c41d57efd226c0191c050724f346918a4e230a3fbb38924
AgentTesla
3d9729b33f01f4fd8a138d106d9ff2e1bb311f28a6a9ffc1b664d1b1cfeeb4c8
AgentTesla
69735229b0e55d5ebf3429260472126022828db9be112e484c5b8a0b01472130
AgentTesla
9413edeb35a7695bd1ce1abef97e816197d0f3c0c8ec1dbeb540dec6ba24c459
AgentTesla
97633db1552b4791c99177e854d262a0d1021d44ee8717dc13bac90d6f55ae01
AgentTesla
b16702237b0fa9a919093458ca1711fe959e8ba2b7b885021237cf5b83d84e5b
AgentTesla
+ 14'268 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220124-p2cbaaefh4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2092755520:AAFUT-2SMjjd39KTAiZYfccbaFzWXamzjz4/sendDocument
Unpacked files
SH256 hash:
c2027d877ee581acf99760a8b36bce82d51b99300681e9acbc4a5fde3672a35e
MD5 hash:
5623fa2c498b00f37ab6d6f408b791af
SHA1 hash:
e9f1cfac867ab6e494d032c2814e891ef5d19adf
Link:
https://www.unpac.me/results/5808c863-5bdf-4142-ab21-e44243613dea/
SH256 hash:
f1fdf3cc9532ee737ed8adc8a7dd5eb7f1a53f144472a704d18e80e722c8e217
MD5 hash:
cf810470d408d2aa771056eb5d1d71ff
SHA1 hash:
cb765f8b41bd774d232beec5f30f4c4872907926
Link:
https://www.unpac.me/results/5808c863-5bdf-4142-ab21-e44243613dea/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/5808c863-5bdf-4142-ab21-e44243613dea/
SH256 hash:
96c34292c35dbb15c36078c6645e2ac7938aeae168167e1493b4e8476c20d3b8
MD5 hash:
6116190492bf5bd78257e20b863672f6
SHA1 hash:
9a905311c7bf80468550eff4035f2a81fab7e59e
Link:
https://www.unpac.me/results/5808c863-5bdf-4142-ab21-e44243613dea/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/96c34292c35d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96c34292c35dbb15c36078c6645e2ac7938aeae168167e1493b4e8476c20d3b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221936/

Comments