MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a
SHA3-384 hash: d58a9472d4fc98849adf32f3de3b22cbc32b72644ae75d551eca3bab39c90dcc4e73836a6d814a1ea8cdaed8cedde3c2
SHA1 hash: 383d836a88c06f0d8cc0f6f8249c7fafece7e2c9
MD5 hash: 6b512fd94524086c363a2d12863b741e
humanhash: mountain-xray-georgia-carolina
File name:Waybill_Receipt DHL4704321510pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:140'800 bytes
First seen:2023-07-07 15:00:21 UTC
Last seen:2023-07-10 06:04:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:M64/4iUSMBl+jh3rvkA2GSFVfxpuu6xr4o3qd:M64/4pSMB83rIXxpHo3
Threatray 5'195 similar samples on MalwareBazaar
TLSH T17ED33A9137D8057BFBBF36B7E07616812F359CAAC293A35E648CB2B508733110D1A56E
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 2b534545c565534d (12 x AgentTesla, 1 x PureCrypter, 1 x NanoCore)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
287
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Waybill_Receipt DHL4704321510pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-07 15:01:52 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/5b2fa943-d0d5-443e-a879-c2b0d85c868d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/410890/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15013.8025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Creating a file
Restart of the analyzed sample
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64a828af9bd9f933fbb8b890/reports/6d182f6d-6cff-4959-ae19-4ac063786a24/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9edea05f-e0d3-4df4-b3b4-40208d3324b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-07 11:49:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=td3yu3b3ve5lknilhukiivjgdmqu5hzjqnxvmmc2b6hxfj3jbvfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d147d070c8149fccdde09ba5398a6600e9a6aad9943ac01f55948ccfa74a17d
AgentTesla
10488db28b2a89b0b4c98640e65f7df2ae248ba2a80dd443b9eddaf6714e01e0
AgentTesla
32858494af5f8ee5f49b7d67894800a340dab412adf1b4326059bb14916c8659
AgentTesla
3582179408cae42c24644803274f3f5afa36167659022f1a8dacc0efd18d5a3c
AgentTesla
48b40f42261aa76d3629cfe995b93dfb0a448c2cb1ef513e420c3ba39a57e24b
AgentTesla
69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f
AgentTesla
6e8d1dd1574c5285fb19d7576e1384e5673fc2b0eaeff485e4d9cc13ec02007d
AgentTesla
a6507c308d5a01cce561a7eac683e60661bbd9e5386cf9b7596ae35881cb00db
AgentTesla
d5e90ce1f8eb541722c1fca05abb1f729b7a886c44c9aa93b1477a6183c9476e
AgentTesla
+ 5'185 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230707-sdvz9sah2s/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2100759405:AAHQxGXNxGeuNgcAgCwnT3oqpIfFhYBuhgo/
Unpacked files
SH256 hash:
98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a
MD5 hash:
6b512fd94524086c363a2d12863b741e
SHA1 hash:
383d836a88c06f0d8cc0f6f8249c7fafece7e2c9
Link:
https://www.unpac.me/results/bce8acfb-f2a8-4475-84dd-b999bca8bfcb/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98f78a6c3ba9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/410890/

Comments