MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98c21c47ae7deca0bc86e0027cb5aace2c50153582e34252d639bdc669782aa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98c21c47ae7deca0bc86e0027cb5aace2c50153582e34252d639bdc669782aa1
SHA3-384 hash: 98d6413b1fc8fa3fbed810a3fe8641e0d5d27399226cdecd1bb46369a574635653c5430b0e21f306bccf9d8b1b20a940
SHA1 hash: 8ebd951461383fda7c7cabe5f62f1273bfa17d58
MD5 hash: 8c49eb2bca54789f0d7a43870f12b35e
humanhash: north-lake-crazy-autumn
File name:8c49eb2bca54789f0d7a43870f12b35e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:97'768 bytes
First seen:2021-03-23 16:02:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:aWXrrZot/bv5QoJ7nV1wbLNBoJCy3bu/PHNoUT1Msp2cfz9ybD+T/Jri:rrQv5QoJ7nV1wbLNBoJCy3bu/PHNoUTI
Threatray 102 similar samples on MalwareBazaar
TLSH DFA3002BB1027BC99A3179B24C6076950F234E4687E33650BE489EE309FD822567DDFD
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c49eb2bca54789f0d7a43870f12b35e.exe
Verdict:
No threats detected
Analysis date:
2021-03-23 22:44:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b455cfa3-fa88-47b9-8c05-b94d713b7780

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126710/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/651485
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98c21c47ae7deca0bc86e0027cb5aace2c50153582e34252d639bdc669782aa1/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 12:14:46 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdbbyr5opxwkbpeg4abhznnkzywfafjvqlrueuwwhg64m2lyfkqq._file
Verdict:
suspicious
Similar samples:
2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
AgentTesla
4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a
AgentTesla
5033628aeaf43dcbe69bf7cf837a5ca98c30ba04cf1e892f38eb2268b25cb836
AgentTesla
7a8e27f4732de792d7904a347061efd90e892a954206adb676fe8b8a914ca3fa
AgentTesla
812a71bf7c8bec5ba792953f300d7c16f4748351b2058dfca5d38cbb1680e40b
AgentTesla
869147dc42f117713c1b9070d615deda8ff7d7baf8c5baea4ccee3c21829fa96
AgentTesla
8c38ea1b07ac6af7083834889e6c999fd84c857a767cf0928be1e7812a594849
AgentTesla
c52ddeac61f16fb23ff925617fba081392b7aabe47c82c765513755d38e62cde
AgentTesla
efb5ee93cfb2bdcf1a0391c00d3a8fbd23ffe6862fa302bef3a839e8f39453fa
AgentTesla
fd32e6bad3561c5fe9dcb7cc9429fb110fea37c843753f33f453b18df751520e
AgentTesla
+ 92 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210323-q9jl4edfe6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
98c21c47ae7deca0bc86e0027cb5aace2c50153582e34252d639bdc669782aa1
MD5 hash:
8c49eb2bca54789f0d7a43870f12b35e
SHA1 hash:
8ebd951461383fda7c7cabe5f62f1273bfa17d58
Link:
https://www.unpac.me/results/5f32963f-3847-4d9a-8f91-ceae8271ce68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/98c21c47ae7deca0bc86e0027cb5aace2c50153582e34252d639bdc669782aa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 98c21c47ae7deca0bc86e0027cb5aace2c50153582e34252d639bdc669782aa1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1083049/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/126710/

Comments