MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f
SHA3-384 hash: d68f663e7b6fa5eaceec2c3004d859b69fb65de838ee5b36f13d0856178de6f266fa07e3f49dc0bce6c2de65a874031e
SHA1 hash: 476a1bb239548c0d1c16ba415c425cd8b56d6c45
MD5 hash: de0b643459f59b88b3ae511b986eb868
humanhash: twelve-pip-alaska-fruit
File name:z44Paymentdocument.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:862'272 bytes
First seen:2023-06-14 23:44:20 UTC
Last seen:2023-06-14 23:45:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:f+uEfG3nUHprmxYsWzK5yge/AXjwmp8PPwRtb0KgHh8ntZMR+Z3DP:f+uEfG3UJrLvuvtXjSobK8ntKAL
Threatray 3'662 similar samples on MalwareBazaar
TLSH T17105238277D50912C85841F8D0E3053803F2AA9BABB7D387395896D54F86B95EACF7CC
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z44Paymentdocument.exe
Verdict:
No threats detected
Analysis date:
2023-06-14 23:44:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e2f48bc-b053-40c1-825f-563b40835703

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398975/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.345.25854.18813.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/648a51019069800b43bc118e/reports/a251e411-62c3-4f58-937f-5efb63659c07/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a00e314e-6c38-481d-bf6a-d862a50f207f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1254950
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 16:20:41 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgohbbidzjjitbklgnd7bkirlvmwm5v2d5a3kgyl7h7r6ewo2bhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10024cd05d15044b458ceb3c79f3081b264b84d444f2eddae4081ca5cfe5c536
AgentTesla
1a6889803b766ce102a10973126f946e3618a0f80c1cee6d902304d2ffae06c5
AgentTesla
40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949
AgentTesla
511bd4f1051444242dda8ae6df80720106a6b4d60eab89658baffb142affe730
AgentTesla
54b8c91ae0485d795f9821b01eb839bd682aee18df6a0b54d14d6eb2a2c0e83d
AgentTesla
813ee787efe7691b84a7286dfb567f0f6f377f3ac0f0d2dc200e106df9f8f222
AgentTesla
816dcc8bb5070ed2db687bdb064a383c946c8183f5e0c089f2453653be8a3086
AgentTesla
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901
AgentTesla
ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6
AgentTesla
+ 3'652 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230614-3rpqhseb5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f
MD5 hash:
de0b643459f59b88b3ae511b986eb868
SHA1 hash:
476a1bb239548c0d1c16ba415c425cd8b56d6c45
Link:
https://www.unpac.me/results/73e794f9-c44b-4d1d-bc6d-576c926d25dd/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/999c708503ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/398975/

Comments