MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 16 File information Comments

SHA256 hash:	988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2
SHA3-384 hash:	0d3da1357761dab9409ec2d9f9c129b54400e6694af330cb30b8b51435c8853b905d4fdd7b2602ce23d89bac5a8eda6e
SHA1 hash:	152cacbd08f27ba2cfc372eed6f736212a71a237
MD5 hash:	4b07c8ee37ced0b916bfb2a6dec89a86
humanhash:	ohio-jersey-nitrogen-spaghetti
File name:	BQ011612,011679.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	653'312 bytes
First seen:	2023-10-04 05:59:27 UTC
Last seen:	2023-10-04 11:47:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:N8zS55mFzZ/ZInU3EWLSMnbjCPY88l6E2ExknDJd7oru:Nf55qF/ZIUhSq3QYQznDJdy
Threatray	21 similar samples on MalwareBazaar
TLSH	T1D7D412413AB88A2BDD3C0BF31C3146D09BB55C2A2516F6DD3DD6759E0CBAF448206B9B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	71f0b2e8f0b0e871 (16 x AgentTesla, 4 x Formbook, 2 x SnakeKeylogger)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

345

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.16612.16258.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/651cff63426c8727d6eadaed/reports/05191f72-4bc6-45ea-9a50-08c0d955e80f/overview

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.5

Link:

https://www.hybrid-analysis.com/sample/988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ddce03f0-e55e-4972-8526-d5a7dddc346b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1319197

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Uses netstat to query active network connections and open ports

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2023-10-04 04:10:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 22 (86.36%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tchntvxvqmd4utk5ijdreqgv7pbx6mnvxqhbab4gt76cf4jfogza._file

Verdict:

malicious

Label(s):

formbook

agenttesla

AgentTesla

0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8

AgentTesla

3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6

AgentTesla

3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d

AgentTesla

457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b

AgentTesla

50b7c22b62b792c34ad69ec219ee468803d070257b57902a33248f953444caf7

AgentTesla

becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789

AgentTesla

d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44

AgentTesla

f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f

AgentTesla

+ 11 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/231004-gqbllshd9t/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Unpacked files

SH256 hash:

2774ee2faeb728836a406a1c1fe7c586afee98bd2e8ed886449510d9b10f0ad0

MD5 hash:

60f18b38ce30086717491c0c6fb07bb4

SHA1 hash:

faa16dbbd107b9042369e241eae20f5e02e7f8a9

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

Parent samples :

d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44
457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2

SH256 hash:

eae295b9f95b0b618d0dae374f26e700d8b27b5a9b4c65f5872c0ba797d9a5ad

MD5 hash:

29240f36c9b7fc6f7e1792c94e62eee7

SHA1 hash:

9c13994a69dacc8f92bc5aa1d21f2c55ef5ccec6

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

f03cfb0d0b6c304bb498d10b08ca4bb52498e1d655f45a1fa10b39a7b71e0e9a

MD5 hash:

96ec308fcf4e0cda9d5ad4ab41de4c79

SHA1 hash:

6ac02e33112bc00807081a37c3aa625c4a69fe4c

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b

MD5 hash:

ec0b80883f0b18fb75a48dd18795f514

SHA1 hash:

afe9537c27362b6769a1df0ad414b8e58d34ea40

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

fd92739a87cd8e00e72c2eee3cc3e8c394c6d6f9fa1236c0afe1e3b8a37edbed

MD5 hash:

6032b0fd1f3840e5916e7945c820cf61

SHA1 hash:

0e2c52a67d2d66f8b8463ee2066992ac83e7e525

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

95e10f019354968db50284aadd1d71ddc73b7524f6d068bddf2aecbef199f86e

MD5 hash:

888925b1330ea8de22e7b55e6111dc27

SHA1 hash:

b0d730f5e771ebc7c900d7622967cf5df6e26636

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

053cfb7e1efc36108638aa0f6b92140621f4ca6f46bc7c26fa87263cdb9b015c

MD5 hash:

9c7bd904d2da809c8f2f0bea54e1260f

SHA1 hash:

8e9fc726326f1277c52109f35994d4ec00f0278a

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

ca5ccbbf31eec66c41dfb6e690f63125c1124a9dd817ab1fd44943414ce658e5

MD5 hash:

41ef14eb691a2401498472cce4e5f387

SHA1 hash:

6917f5992f393e16aafa2dc29981e3f0e7b3a0f4

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

dcffb42a05eae4dc881849c0a8cc7aa267adf4341ac87deece41bd46774719f5

MD5 hash:

0926ee6e2d01657a8eee175d0d59983e

SHA1 hash:

684d9146c6a543a2b0ba9a71b04f288f59c49ce6

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

1d5ac9a19469570f6b292a54fc72a50eb05c69dd5bb94311e5e8827a3a02e15b

MD5 hash:

9d1d96d92a0e567db56bef03601d646b

SHA1 hash:

57f98618a013d9b9159b9757e748888eb5948266

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

a7b228ca5442a41639bcf3269f30c15963dae64d2b14ca6b5819b465acd2da94

MD5 hash:

dcb5336ea214e78c76564dc32a7ab65a

SHA1 hash:

16f62d121c6eb579df3757f80c7419c55e34b34f

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

SH256 hash:

988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2

MD5 hash:

4b07c8ee37ced0b916bfb2a6dec89a86

SHA1 hash:

152cacbd08f27ba2cfc372eed6f736212a71a237

Link:

https://www.unpac.me/results/75bac543-23b0-4eb3-b6c2-cc46a849851a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/988ed9d6f583/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 637ef39cf41eec5dc902bd1b9da12d39bdfadd88c1b6388b9bfbd0981599ce6f

AgentTesla

exe 988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2

(this sample)

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 637ef39cf41eec5dc902bd1b9da12d39bdfadd88c1b6388b9bfbd0981599ce6f

Dropped by

MD5 a49efd9ffb5e0ca31315173cc7e90e83

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample