MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99ce362c5699437565282bc8e672ce5482e54ff31c171b86456f2e5a47fde91b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99ce362c5699437565282bc8e672ce5482e54ff31c171b86456f2e5a47fde91b
SHA3-384 hash: a33972120809dbd4cb3e2879285ed34b6315a08f480328d5e3be07ec7c4690fb05e5a499965598f0afb15b4a64282ea5
SHA1 hash: 8ffc2c31785f0d2d3ce8902280608fc60f502d0c
MD5 hash: f3a657f058371b047a9ffe4a8b2dd68a
humanhash: purple-nuts-fourteen-black
File name:TÜBİTAK SAGE FİYAT TEKLİF İSTEĞİ_xlsx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'161'728 bytes
First seen:2022-05-12 05:53:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Nq2Crw52Mq5NUX6sVfDhHeK0Vfbat7Vw:NjCrw5Ev7WfNH8Vfba
Threatray 16'891 similar samples on MalwareBazaar
TLSH T14D3539987254F9DEC817D171CA685CF0AA207C6AC31B820B90173D9EB97D783DF219B6
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TÜBİTAK SAGE FİYAT TEKLİF İSTEĞİ_xlsx.exe
Verdict:
Malicious activity
Analysis date:
2022-05-12 08:39:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21395198-c8f5-4373-a411-f2d90ad1432c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269823/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/627ca0e38d13de6dc3af46cd/reports/1caf8105-5ab5-4442-89ef-0860539b45a8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1afd875d-107b-4b99-82b8-1e8b15a6014f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992382
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624878 Sample: T#U00dcB#U0130TAK SAGE F#U0... Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 12 other signatures 2->44 7 T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe 7 2->7         started        process3 dnsIp4 34 192.168.2.1 unknown unknown 7->34 28 C:\Users\user\AppData\Roaming\zTlVswg.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmp5821.tmp, XML 7->30 dropped 32 T#U00dcB#U0130TAK ...#U0130_xlsx.exe.log, ASCII 7->32 dropped 46 Adds a directory exclusion to Windows Defender 7->46 12 T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe 15 2 7->12         started        16 powershell.exe 24 7->16         started        18 powershell.exe 25 7->18         started        20 2 other processes 7->20 file5 signatures6 process7 dnsIp8 36 api.telegram.org 149.154.167.220, 443, 49723 TELEGRAMRU United Kingdom 12->36 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/99ce362c5699437565282bc8e672ce5482e54ff31c171b86456f2e5a47fde91b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 21:04:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thhdmlcwtfbxkzjifpeom4woksbokt7tdqlrxbsfn4xfur755enq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
56ed66657e25c863a4b008512dbc21cf29225dbf13d67a5d1141e03ab04c8804
AgentTesla
61d0a1d8b04afa7bf63228748034ed0018157c3f902cdb6069a928c589b63729
AgentTesla
9b9e7f65b6e87acaeb34f568af68ba6c2246cf320329d56af03673f5f3908ddb
AgentTesla
c3f5b91bd4a07b58d11c41839a3f00c55767e5529fb205310f2a5581ab5139bd
AgentTesla
da58a512dade08a3539fc4580884e30c389a4f8127f155ddc43389a38b9abee1
AgentTesla
e583ed8b8ca9d01ee9dacc975fd9882699c0534efcc7a4b905613bb9e0a60684
AgentTesla
edb8f0857fece22a2b512991fe1acca379f43549a420340d3097744222d53db8
AgentTesla
efdd3220b1773e040645935cb67e520893983ee8a1f5d0c08f8b5b995128a989
AgentTesla
fc3496cf72612e8bed8e7a7d461b8c3a30fb7e5739149c26dfaf1e03ff43f442
AgentTesla
+ 16'881 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220512-glv5fsafd9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
206355bf8d0d1abf2b67684f6d74eb6020786482cb0d62923fca2faf31ce290d
MD5 hash:
0a0f99627354014f402848e9fba666e0
SHA1 hash:
8143db7858532c9fef64786ac44e9a136942e375
Link:
https://www.unpac.me/results/7f593c64-4015-4f1c-a2d6-6e9244882323/
SH256 hash:
753bb6d3f2107a7ed0071a4efa04ddb1a9d09edbeb382020e4d558d46b572048
MD5 hash:
b5911e16822a39925df899d348f05e0f
SHA1 hash:
47690a21ed470fae27fa0e315dbbee4d97dd43ee
Link:
https://www.unpac.me/results/7f593c64-4015-4f1c-a2d6-6e9244882323/
SH256 hash:
136019e13a4777ed649fdf0f061e4ad169c91fc210a979eb29b22bc26c56223b
MD5 hash:
7aeaa422e0d009c69824cba4de40c79b
SHA1 hash:
40ff36f198bc61b6151f28451f24558e511042d2
Link:
https://www.unpac.me/results/7f593c64-4015-4f1c-a2d6-6e9244882323/
Parent samples :
c69020d319adad3cbafcc89ed03083094e1484ff9b473b70434e2be28f4eaaf6
f6a5112b969d1fa88dbd095df950e3b586b00166c857656c1da21685ab94e093
4164d3bec950ac04c1a2e8edc8b4bccc4526daa5400e011c2622e9b08c720901
74364dacad18ae5d6930c6b8d3c41210ef3d3c2c7899386c2b2c17d7c84142ec
4c88e26f710c4aec376be1d0162bc0edbb5dc0092f5c786c9f5c15b4c5bc9706
b153261c18823db96bfd055e398bac3f7c3853aaa006c2017dc17d13e49e23f1
b90d614aa6a712c1c1ae460f35a852005123f2719fa15faf1837e90a8b138d2f
ed4b9afcb717295f5fb71bcc6f408dbbed12c6858ee2f20a1f7bd2ab72074fc6
ee215a3ddd28f9c0599ade58c8e18c1735abe7fd9883fe846ce480ced27aa663
9bfcddc5558b99ca104647f9f65f6eeb585d7eada6a786e841ff71d9a7a4c682
c67f1aa3ba774093756918e8dc2a2064e1d8e39a91f09c01d55ad38e73ef5a3e
a7cbbba4240bca662bb18a1b8f3de13c839b3714ca8a869fb5c99dda91f43913
bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf
f9310537144e0d9dac0a50fee380fa07322354e9248454c1bb60144c8bfd22cd
cf44163e574fb84c598bd3a738aac3119c0f64cc7c6fce5739faca7ea9158bcc
SH256 hash:
c1a98a15d84104bcac566b5d67b2d7187c219d81a055692bac1ab2ae5a84cfcd
MD5 hash:
c326d1dbd60700f0a652a7edad1f0147
SHA1 hash:
0ef26d0a37786fcf0e817e8cdea9c48e4faed8bb
Link:
https://www.unpac.me/results/7f593c64-4015-4f1c-a2d6-6e9244882323/
SH256 hash:
99ce362c5699437565282bc8e672ce5482e54ff31c171b86456f2e5a47fde91b
MD5 hash:
f3a657f058371b047a9ffe4a8b2dd68a
SHA1 hash:
8ffc2c31785f0d2d3ce8902280608fc60f502d0c
Link:
https://www.unpac.me/results/7f593c64-4015-4f1c-a2d6-6e9244882323/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99ce362c5699437565282bc8e672ce5482e54ff31c171b86456f2e5a47fde91b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 99ce362c5699437565282bc8e672ce5482e54ff31c171b86456f2e5a47fde91b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269823/

Comments