MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273
SHA3-384 hash: c125e50284a9371e8675c4c1ce97ad38c8537d5328022cc522757b5ccd7a4497a12df4305ac28fa784cefb24041ca3ab
SHA1 hash: 384eb34766b7a7814ec6c74e0bbc4f5476ca3d55
MD5 hash: 7da1f74d38eb06c304c996974548962c
humanhash: music-mockingbird-venus-bulldog
File name:Request For Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:273'754 bytes
First seen:2022-05-04 07:46:17 UTC
Last seen:2022-05-09 08:26:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:xNeZBm0+/GhUE7S5LSd3miT72dfFyl4GOw50Hl0INUQ+d7/J9JA+7:xN+r+mxuLSd3mi72dfEl4Gr0FzUH7/e+
Threatray 19'397 similar samples on MalwareBazaar
TLSH T1AB4412253665E4F3ECA349F25D1D87235BB6582A21B9561F23E01B9CB8313C2D91E3C7
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter cocaman
Tags:AgentTesla exe INVOICE QUOTATION

Intelligence

File Origin
# of uploads :
7
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Request For Quotation.exe
Verdict:
Malicious activity
Analysis date:
2022-05-04 07:58:54 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/026b8fbf-545b-4505-91fc-6163b818463b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268559/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16273/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62722fb562b1ae4451d52439/reports/3df551fb-3579-420d-8f44-987beeb32cee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed361006-d4a6-4f0b-9323-7714bfe50da4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987570
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273/
Threat name:
Win32.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 07:14:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3qmaayhx546ezkovf73m465ovos2provhqx7pdxjmug63kmgjzq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
378f9b092b0ef255bfc83189a18d1fa6caf5245bddaf4bfb98236cdbc66fc277
AgentTesla
6ab30070b29a4095465e89dbc1a4b0788625565aa7608973b274aadd715b5db1
AgentTesla
6d689a498b723dffb589b4628255d59b6cda524432d521a273a4d789b2a21c6e
AgentTesla
96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273
AgentTesla
ade4338ff8eb7ed4b807c264a9fb7f559c9e98401de46ffdd8e0a4a502f63406
AgentTesla
cad40a730db37853650add2b302af798fb0eb43cb266f51f78d927d487ad0f46
AgentTesla
e6373eddd3eea61d770a921ee1f63f43145fafef60b2303bb8d2633a895f6b86
AgentTesla
+ 19'387 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220504-jmh8dsddf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
3b5c4747cd46802feebab563842fb2fe23ae2d382cebd9dadb6eaac8aef24ab6
MD5 hash:
b093b21d95e4d74b1004fbb11f7ced7d
SHA1 hash:
7d657f39d25ac55c02124d557477620529a605dd
Link:
https://www.unpac.me/results/9e0d4f3f-4ec1-43c3-a0c0-db97bcd3c8c1/
SH256 hash:
0e0da231426160c9b171330fb4858701dedb27baacf6bc3152891ecef6932c29
MD5 hash:
a234bf99214d14f730756625d9631801
SHA1 hash:
19e2098caf21545a3bc70ffb9588cc3014526928
Link:
https://www.unpac.me/results/9e0d4f3f-4ec1-43c3-a0c0-db97bcd3c8c1/
SH256 hash:
b44d9ea06943bc03c21c988c6d5540ec79c94ad4ea51c25dcd59d7bb584289de
MD5 hash:
f44b746b9b3401c09e19e1c5ec6d2d98
SHA1 hash:
8b0a18c37e820008f735d986f94458771d2ec05b
Link:
https://www.unpac.me/results/9e0d4f3f-4ec1-43c3-a0c0-db97bcd3c8c1/
SH256 hash:
afc88b6a79de6d0a607adcb346261cf9a77731a2f723ebd4cbd0d402abec98f8
MD5 hash:
19b2a9f30d028c964857cb6f3adf8022
SHA1 hash:
696f43834b43351ad8df616d15cca56a714f918f
Link:
https://www.unpac.me/results/9e0d4f3f-4ec1-43c3-a0c0-db97bcd3c8c1/
SH256 hash:
96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273
MD5 hash:
7da1f74d38eb06c304c996974548962c
SHA1 hash:
384eb34766b7a7814ec6c74e0bbc4f5476ca3d55
Link:
https://www.unpac.me/results/9e0d4f3f-4ec1-43c3-a0c0-db97bcd3c8c1/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/96e0c00307bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip b2edd94a3bb732ec0c52531b259a1b93caa1207714dbf051c7f560116d958acc

AgentTesla

Executable exe 96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b2edd94a3bb732ec0c52531b259a1b93caa1207714dbf051c7f560116d958acc
  
Dropped by
SHA256 974a000f2b7bc5e9d3986712a645f3dd164c102c9a2d2278997fdc610975cb4b
Cape
Cape
https://www.capesandbox.com/analysis/268559/
  
Dropped by
MD5 79307321eaeb1d74dd78e5b902e45af4
  
Dropped by
MD5 42e1d34dd107ccf0c82ac06340517cb2

Comments