MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98f6d2cf476f3816f2af090b822c9ccae2438b9231981c31bccfff73f45b263f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98f6d2cf476f3816f2af090b822c9ccae2438b9231981c31bccfff73f45b263f
SHA3-384 hash: 9637ac629afd9b4beb9c63a8dec113993e253f0b16360ebf56526c0901a8feaa19899e74d7fa527b8f58e0517c62c942
SHA1 hash: 5294a5bbe5c9abec76e3d8ef18d9f0a33f06243e
MD5 hash: 208174d367e74a1cf6fd2d41a908ffd5
humanhash: lake-oregon-eighteen-floor
File name:SecuriteInfo.com.MSIL.Trojan-Downloader.Agent.BKG.23721.32065
Download: download sample
Signature AgentTesla
Create hunting rule
File size:9'216 bytes
First seen:2022-10-26 02:25:29 UTC
Last seen:2022-10-26 06:27:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 96:IsUizx8q6DdrxqK1q5LtHQP5+epWZ1DXv3WNtW1jYcFoNVcz1W4oKYMsLYUa:xSF/Vq5LtwP5hgjv8stYcFmVc03KY
Threatray 20'741 similar samples on MalwareBazaar
TLSH T16112E601A3D40272DAB602B63D6B9782C336A7E75C468FE978CC955E3F3214287736E5
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.MSIL.Trojan-Downloader.Agent.BKG.23721.32065
Verdict:
Malicious activity
Analysis date:
2022-10-26 02:28:08 UTC
Tags:
trojan agenttesla
Link:
https://app.any.run/tasks/fec84365-66bf-4ecc-b326-00f983267705

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324173/
Detection(s):
SecuriteInfo.com.MSIL.Trojan-Downloader.Agent.BKG.23721.32065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d12067f1-bf33-4abf-b2d8-9e9b3e650c24
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098004
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 730655 Sample: SecuriteInfo.com.MSIL.Troja... Startdate: 26/10/2022 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 9 other signatures 2->34 7 SecuriteInfo.com.MSIL.Trojan-Downloader.Agent.BKG.23721.32065.exe 15 4 2->7         started        process3 dnsIp4 22 194.180.48.246, 49698, 80 LVLT-10753US Germany 7->22 20 SecuriteInfo.com.M...23721.32065.exe.log, ASCII 7->20 dropped 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->38 40 Encrypted powershell cmdline option found 7->40 42 Injects a PE file into a foreign processes 7->42 12 SecuriteInfo.com.MSIL.Trojan-Downloader.Agent.BKG.23721.32065.exe 2 7->12         started        16 powershell.exe 16 7->16         started        file5 signatures6 process7 dnsIp8 24 api.telegram.org 149.154.167.220, 443, 49701 TELEGRAMRU United Kingdom 12->24 26 192.168.2.1 unknown unknown 12->26 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->44 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal ftp login credentials 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 18 conhost.exe 16->18         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98f6d2cf476f3816f2af090b822c9ccae2438b9231981c31bccfff73f45b263f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 01:56:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=td3nft2hn44bn4vpbefyele4zlrehc4sggmbymn4z77xh5c3ey7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02d7ab6afcf9f15fba169e0d8491499cf27a87fba17a3afd80bd6e5873a9338f
AgentTesla
270daae1261a5456d3a85fdd050e3f7c7f55ed69015bcffc1a4e958e2816a513
AgentTesla
5ca468704e7ccb8e1b37c0f7595c54df4e2f4035345b6e442e8bd4e11c58f791
AgentTesla
9c4b36f3358c82368a74e868177cf827687288367d9d4e69206361467c423d13
AgentTesla
aa96c41edf3b9a54f597623dfae536b759c71736f986635b3e483f04ce64c099
AgentTesla
ad57def386afddee671b7259046c88da4e51150af32afae55433ca43b52d17d5
AgentTesla
ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969
AgentTesla
daf72eb67d270757434158fbcb578a1a53f82ee5fd94c98c24e1580429ed9c3c
AgentTesla
ddd2832de9b42fc2b5b4ad51c9db65d979fec3312aaed4b1a31aa439b0598569
AgentTesla
+ 20'731 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221026-cwvjfseegk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5544798312:AAFCE9wlKN3YHM9MGYnKgWUb8D_lz2PBmQ8/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e44b9be3-3458-43a1-b416-9f52236e154b
Unpacked files
SH256 hash:
98f6d2cf476f3816f2af090b822c9ccae2438b9231981c31bccfff73f45b263f
MD5 hash:
208174d367e74a1cf6fd2d41a908ffd5
SHA1 hash:
5294a5bbe5c9abec76e3d8ef18d9f0a33f06243e
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/eca6627a-b84d-44d7-8535-d3f00bf3fd16/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98f6d2cf476f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/98f6d2cf476f3816f2af090b822c9ccae2438b9231981c31bccfff73f45b263f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324173/

Comments