MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 996fdb5a25f89426e241f02094474706fafd567fcc5980a07ac7a38efa8625ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 996fdb5a25f89426e241f02094474706fafd567fcc5980a07ac7a38efa8625ea
SHA3-384 hash: dcd97a6271d87f8d7ff11fba98d9794f3f8669c1e7d8600b09f7888683cbec34e197778e65929f662c709aa5e8c32509
SHA1 hash: 5adbb8b9913119f794423dd913ee7c169e929d98
MD5 hash: 723eddc3ee5191312480f0874b356fd7
humanhash: blue-triple-nine-cat
File name:Orden de Compra -046798.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:640'512 bytes
First seen:2023-06-22 06:06:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:KpdvDhH62MmgPFmmUqH5wIJNeJMC/j5ag830uvsfcENo17XoVRsMI:QdvDcAwEEHmi0MCljlPyMDI
Threatray 3'159 similar samples on MalwareBazaar
TLSH T1DAD41214723F4B11DAB25BF14A111630437EAD2C7532E36A4CEB30E66AA9F5D8663F07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orden de Compra -046798.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-06-22 06:14:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58ccdbfa-4957-4f72-845c-c21990abac85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401545/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67673192.25092.27759.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6493e50999f0c0cb09336cba/reports/cc7f34f7-1e3a-4123-8810-f7ea8e2497af/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/996fdb5a25f89426e241f02094474706fafd567fcc5980a07ac7a38efa8625ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fea4b09-d427-4f2e-88f4-21acc16c77fd
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259427
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 892444 Sample: Orden_de_Compra_-046798.pdf.exe Startdate: 22/06/2023 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 10 other signatures 2->71 7 Orden_de_Compra_-046798.pdf.exe 7 2->7         started        11 lmSPHbRnIKe.exe 5 2->11         started        13 MmRKwR.exe 2->13         started        16 MmRKwR.exe 2->16         started        process3 dnsIp4 53 C:\Users\user\AppData\...\lmSPHbRnIKe.exe, PE32 7->53 dropped 55 C:\Users\...\lmSPHbRnIKe.exe:Zone.Identifier, ASCII 7->55 dropped 57 C:\Users\user\AppData\Local\...\tmp3A86.tmp, XML 7->57 dropped 59 C:\...\Orden_de_Compra_-046798.pdf.exe.log, ASCII 7->59 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 7->83 85 Adds a directory exclusion to Windows Defender 7->85 87 Injects a PE file into a foreign processes 7->87 18 Orden_de_Compra_-046798.pdf.exe 17 5 7->18         started        23 powershell.exe 21 7->23         started        25 schtasks.exe 1 7->25         started        89 Multi AV Scanner detection for dropped file 11->89 27 lmSPHbRnIKe.exe 11->27         started        37 2 other processes 11->37 63 192.168.2.1 unknown unknown 13->63 29 MmRKwR.exe 13->29         started        31 schtasks.exe 13->31         started        33 MmRKwR.exe 16->33         started        35 schtasks.exe 16->35         started        file5 signatures6 process7 dnsIp8 61 api.telegram.org 149.154.167.220, 443, 49715, 49716 TELEGRAMRU United Kingdom 18->61 49 C:\Users\user\AppData\Roaming\...\MmRKwR.exe, PE32 18->49 dropped 51 C:\Users\user\...\MmRKwR.exe:Zone.Identifier, ASCII 18->51 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->77 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 31->43         started        79 Tries to harvest and steal browser information (history, passwords, etc) 33->79 45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/996fdb5a25f89426e241f02094474706fafd567fcc5980a07ac7a38efa8625ea/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 15:53:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfx5wwrf7ckcnysb6aqjir2ha35p2vt7zrmybid2y6ry56ugexva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
057b5a69c942a24a0fc9818ea3d08c6479ef6af994938f9023b50b952f8186b6
AgentTesla
3135420881e7d4063d9883244d5803d596092d9fd6283137cc22876bee45564e
AgentTesla
5206fb34c3360635f7a152e0f3f336dafbca03f1e3d2bb957b8cb9adc726240e
AgentTesla
5ed32126cdfb97c7b5509cc51ecc3b4c9d899588c982dfceb4a739711538e36f
AgentTesla
7c2796ad29fcba2cb666107bdbe39facabb2c91f91e20f1df38ac21e616d9e33
AgentTesla
7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f
AgentTesla
b939a54436fbf49a9e065f0807e9071f3c29772c38857dc98a999a916e5ad2e0
AgentTesla
c1b407328dfb3df00e409a9c3661b8ed81aea549322104e30929f1d669404d06
AgentTesla
ea016352c5d29278244cf4a0ce4188c199863ba6bfef978c9dee5804fe9c8f79
AgentTesla
+ 3'149 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230622-gva6msea9x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6065558683:AAEVytwWksXNPncu_eMWOIXR3btY26msDD8/
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/7daef74e-96b3-4175-aebd-a99eafcb307a/
SH256 hash:
751e0b6b5e24bec18996fd15101cd7038340fc3ae17909b861390429cc896a82
MD5 hash:
56095921f3d57b1e6c836681eb50efd7
SHA1 hash:
889c4130c4a3d01150c9e82e5347a9017eb4bf0f
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7daef74e-96b3-4175-aebd-a99eafcb307a/
Parent samples :
996fdb5a25f89426e241f02094474706fafd567fcc5980a07ac7a38efa8625ea
122ec71f9f9911f8b80c2f2c5f26d66ffe2b62a190168ec0797072e02a8a3598
SH256 hash:
f58cbaa1c08285906de254b8bac132f492c785e86d6d8e3c7170f9b752b1f9e0
MD5 hash:
008350c52bb1901efc9ddb86df524034
SHA1 hash:
8534f982ba31920613904c813a907d40a4481b7b
Link:
https://www.unpac.me/results/7daef74e-96b3-4175-aebd-a99eafcb307a/
SH256 hash:
cd238b30ecc0a2810ce99d9e918d40c41c79b31a42b3050d2e25c7722f833692
MD5 hash:
1721bc0b5e9af2fc93b3d16dc15c03ea
SHA1 hash:
78cfec04ea939993621412c965a8f55c243169da
Link:
https://www.unpac.me/results/7daef74e-96b3-4175-aebd-a99eafcb307a/
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
Link:
https://www.unpac.me/results/7daef74e-96b3-4175-aebd-a99eafcb307a/
SH256 hash:
996fdb5a25f89426e241f02094474706fafd567fcc5980a07ac7a38efa8625ea
MD5 hash:
723eddc3ee5191312480f0874b356fd7
SHA1 hash:
5adbb8b9913119f794423dd913ee7c169e929d98
Link:
https://www.unpac.me/results/7daef74e-96b3-4175-aebd-a99eafcb307a/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/996fdb5a25f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/996fdb5a25f89426e241f02094474706fafd567fcc5980a07ac7a38efa8625ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401545/

Comments