MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100
SHA3-384 hash: c6141bcbdea09b5b51efa4c38bba99cec596ba0352259a16d7872d1e577335ecdfacae8860d1d3f66aab2f6a6fca1eb2
SHA1 hash: 65d40278a4cc77caf106a4de30a151ff13412039
MD5 hash: c48f38fc47d6349ab8992c1e3d376c0f
humanhash: quebec-single-apart-moon
File name:FAT098765700080000.BAT
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'166'336 bytes
First seen:2023-12-01 09:23:55 UTC
Last seen:2023-12-01 11:25:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep 24576:HHJYCiYv7vz2YowyFskjCBthTNtohgcjBHDMSgEmwJCp:HHJ+YvGSydCBnTtcGSfmw8
Threatray 1 similar samples on MalwareBazaar
TLSH T1DF452356230A8363D9BEA7F7A890540493B3B81B9550E304DCC788CE6C72B55DAA3FD7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 30e8ccd4716961e8 (15 x AgentTesla, 3 x Formbook, 1 x Loki)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FAT098765700080000.BAT
Verdict:
Suspicious activity
Analysis date:
2023-12-01 09:29:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97b44ef7-38de-4118-81b5-9b1035b37dde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461667/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c3befb7-5f0d-40d8-acc1-14b2572987fd
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1351267
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 07:07:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7djfb6ca43qgjqzszdshd6tk6gamhprs5uk4mmb5cvcbonyoeaa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100
AgentTesla
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231201-lc6baagf9x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
10e1c58c0a00d947f62f9f1c1f32cae98cb00404c37b72c4c057e2b2d10da444
MD5 hash:
c616e4beb7779e6c96a917466cd65d16
SHA1 hash:
83014e3cfee815802b100cdf7059d3b3564840d8
Detections:
win_mofksys_auto
Create hunting rule
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/dcf8a0f8-9f73-46c5-ad4c-ca31da5ac62a/
SH256 hash:
283bbfe4c9d1609384c643a7baa638984c983886ade0deb856b70283417243ed
MD5 hash:
6578cbe87e5f095c458373fca717467f
SHA1 hash:
d8ad170d573085bebb5b1eb978a2c689798e578a
Link:
https://www.unpac.me/results/dcf8a0f8-9f73-46c5-ad4c-ca31da5ac62a/
SH256 hash:
b7d721f5b8b9e45d07229c22aa79efe28265987cb9f8c02f8c614cfb0b76500a
MD5 hash:
d0273a88e29c5ac3eba7a0d9ec101835
SHA1 hash:
d888ea0c6b9a42b9263f44c8806184bf37492e69
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/dcf8a0f8-9f73-46c5-ad4c-ca31da5ac62a/
SH256 hash:
bc99dcc182eaf17394c34611c1aef4ad45c3079ae116c19caa17620d64c39f7c
MD5 hash:
84fe0cc42b4f30e7b6f58c92f9ad3d56
SHA1 hash:
d753cc7cc8e2927f9cde57fb67b5bceebd2f5fd2
Link:
https://www.unpac.me/results/dcf8a0f8-9f73-46c5-ad4c-ca31da5ac62a/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/dcf8a0f8-9f73-46c5-ad4c-ca31da5ac62a/
SH256 hash:
0e8a5f6bd3e915b9d2fae9428730dc5017348d23b622bccbb1971e352052734b
MD5 hash:
56feb04fdc8b0453c62267ac204ed555
SHA1 hash:
7d41fb41cac90bea85cb6691a5945568115cbcbf
Link:
https://www.unpac.me/results/dcf8a0f8-9f73-46c5-ad4c-ca31da5ac62a/
SH256 hash:
97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100
MD5 hash:
c48f38fc47d6349ab8992c1e3d376c0f
SHA1 hash:
65d40278a4cc77caf106a4de30a151ff13412039
Link:
https://www.unpac.me/results/dcf8a0f8-9f73-46c5-ad4c-ca31da5ac62a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/461667/

Comments