MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99a3a2770ee51389df0ed5f4a4a9788f98d92229a41f563279e181b41c528326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99a3a2770ee51389df0ed5f4a4a9788f98d92229a41f563279e181b41c528326
SHA3-384 hash: f5d79bdcbb3b827384d9b563e43de10dd7750c8d330903c5fa0c89696c0242b698a0fcc1ca05599432012b7057fef884
SHA1 hash: ba1e431e0ec04108d5411be45e0ed2efa8fbec95
MD5 hash: b041b7dde1a9578a529cdce4a3755904
humanhash: north-artist-muppet-fish
File name:2021-06-22_New Order_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:755'712 bytes
First seen:2021-06-23 13:13:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:dJZaF9GF2inNi812MNzffWxrqqihStmfzW1NaRSf65p4cFwWGBOQZC+Min2xEE5:8jiNtLNzXWoJhSA/LebOQZClEE5
Threatray 6'502 similar samples on MalwareBazaar
TLSH 6AF4E02039EEA018F177AF795FF475969A6FBB633B06D85D2051038E4B23902CF9153A
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2021-06-22_New Order_PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-23 13:18:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea45a107-4409-4728-aab3-158e5c125303

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/701bd4cb-874e-4bc2-a0bd-833e608033e2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806591
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/99a3a2770ee51389df0ed5f4a4a9788f98d92229a41f563279e181b41c528326/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 13:12:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgr2e5yo4ujytxyo2x2kjklyr6mnsirjuqpvmmtz4ga3ihcsqmta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08e40e28aab09030aacd7aa23e9f619fcabeb74f4b9e9ecf9e35310158af8901
AgentTesla
0dde386d301256d9f11d4003d0ec036be32ab0ffa411a2183b137b6f7782f162
AgentTesla
149e5cb565e56469e6ff5c929185e203c92be0d8541faf0cf38da0003ae211d3
AgentTesla
225292deee765b9ce907a03a47645c52201a14dfb962345096fd30385fc63eae
AgentTesla
37211ea70920adce4d2704187d8f45233724e84c2dc18158387da8bf2e94eee0
AgentTesla
706a8a414b5cf5b0af00dc98bc373f48b48e07a7770e2270b5cb6f546f482aba
AgentTesla
80ef601f22b023786e457852b1723ef80952ea8e2f98f1e387bebe043bfa1d59
AgentTesla
b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e
AgentTesla
b4d78c02fa2b8e9ef61a925c1fac4750d4a7d17030ae548833f7cfb5d9d67ed3
AgentTesla
c2f19d09b75e7e3a3fc37523b1b65b63850819c18882947359eacd8ef9c833f3
AgentTesla
+ 6'492 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210623-ny8p4tyad6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
06306e33b7e10429759ab8c42e31e9eb8edbd76c4f1a792a5c231a57876ea338
MD5 hash:
5bdd03077864d32db51b085294859f68
SHA1 hash:
70392a93a4c8be2377915fd6e6d3e7a3a9600adf
Link:
https://www.unpac.me/results/5024de92-052a-4981-9816-3ce62978a2bc/
SH256 hash:
0857120817e447e61b8ed1cfef7c9b8cdfd3af690b257f4c00c3c7fc7aaa0318
MD5 hash:
0189b6edc8d45be42fb142cab59da487
SHA1 hash:
6b8e9d2e46cdf12c4be55f77cd8303a13c3fa246
Link:
https://www.unpac.me/results/5024de92-052a-4981-9816-3ce62978a2bc/
SH256 hash:
d4b60a80a74dfce2f6aedefaf9d219cb16ce7f31f9fd1550761f40afd7a94aee
MD5 hash:
9ed2b566110d0ae2b60f48b2d2a80eb4
SHA1 hash:
2e6723886c4deda91ecff17dc88a9d2341d206ad
Link:
https://www.unpac.me/results/5024de92-052a-4981-9816-3ce62978a2bc/
SH256 hash:
99a3a2770ee51389df0ed5f4a4a9788f98d92229a41f563279e181b41c528326
MD5 hash:
b041b7dde1a9578a529cdce4a3755904
SHA1 hash:
ba1e431e0ec04108d5411be45e0ed2efa8fbec95
Link:
https://www.unpac.me/results/5024de92-052a-4981-9816-3ce62978a2bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99a3a2770ee51389df0ed5f4a4a9788f98d92229a41f563279e181b41c528326

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments