MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
SHA3-384 hash: 4727fc4bb64a442762f174f4b735ab50cecc2255c7044cc7023d15c36f79e47cf7d185d6b489c6249856c72556bf2837
SHA1 hash: 001f8481ba541f4777f56aafed0ea4e316572a02
MD5 hash: 4e5ad561afa269326f6996394d78d6ef
humanhash: butter-may-island-mockingbird
File name:PAYMENT SLIP AND SWIF COPY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:504'320 bytes
First seen:2020-12-07 19:33:15 UTC
Last seen:2020-12-07 21:39:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tje7Ar369jAbQXTFBpYVUQ02ec9XBF8qjz:47ZhIV17/Jjz
Threatray 1'716 similar samples on MalwareBazaar
TLSH 59B4F1320246AFAFE77E0F76D10426104EB4B55B7E23F29CAF8450D606E67988D51EF2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: host.gtoolswebmail.ga
Sending IP: 52.152.234.132
From: Ibrahim <Ibrahim@hunanpipe.com>
Subject: Confirm Payment
Attachment: PAYMENT SLIP AND SWIF COPY.rar (contains "PAYMENT SLIP AND SWIF COPY.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT SLIP AND SWIF COPY.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-07 19:54:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2dab8923-6489-4a53-8275-eec6e0653364

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107099/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.17965.20598.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/557322
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-07 19:34:07 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=td5rrw2zzoe2nuzsuir4pmwvi65nihhtwbxnf2vhl5ujibe3knma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6
AgentTesla
0b0497a471a34be0ac2c4719719527d6a73b4a0ad0d7b8f43d9c9af5119ce9cd
AgentTesla
350d069225cb53bc0c3762da5cc170eac2737318377be141a5485651105914f6
AgentTesla
87b13e8ecfe5abb89f206f65c0e0676a70bb25533f3af9fd336c1075e7abd174
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b
AgentTesla
d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16
AgentTesla
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
AgentTesla
+ 1'706 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201207-nk2r9a8bh2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
MD5 hash:
4e5ad561afa269326f6996394d78d6ef
SHA1 hash:
001f8481ba541f4777f56aafed0ea4e316572a02
Link:
https://www.unpac.me/results/5c578499-1a6a-4e96-990c-141595491ee0/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/5c578499-1a6a-4e96-990c-141595491ee0/
SH256 hash:
25b973810024c47825debb139d112f17dc25b1efcf93223ae082daa58395b721
MD5 hash:
83b7e42599110abc2286719051d43801
SHA1 hash:
48c748e808ced50774efdc28b2e60cd5917f1c2b
Link:
https://www.unpac.me/results/5c578499-1a6a-4e96-990c-141595491ee0/
SH256 hash:
68c1cb6eb4b893698fe5ae104b415e9e780e0caed15f11178f78ac49d60366a1
MD5 hash:
6fe2a2f17bcd65de8ec5641d47375615
SHA1 hash:
990274f44244fbe7628eb4f47c3aee57ee0cda70
Link:
https://www.unpac.me/results/5c578499-1a6a-4e96-990c-141595491ee0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 032d55216842c7aee46d81c51afa4a3f7716dd06dbb8faeb68017b9035085323

AgentTesla

Executable exe 98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358

(this sample)

  
Dropped by
MD5 18a3a6a124fd8f7e2008314b09bae5ea
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107099/
  
Dropped by
SHA256 032d55216842c7aee46d81c51afa4a3f7716dd06dbb8faeb68017b9035085323

Comments