MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b
SHA3-384 hash: dd51524b5eb9f04160b704df0c2f2add07e6e79b387ec14f7005c2985771b66321a01e1ba5b04e65d60d2f736506953f
SHA1 hash: c5c23c81be649eb4c3c918363af02fff94452a08
MD5 hash: 0e831ff3582b5a32a2880c1293a884d2
humanhash: april-mississippi-sierra-delta
File name:TR170965523454.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'193'984 bytes
First seen:2021-01-18 07:54:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:P9kkH2Rep6dJxTXdAdHUBs7RkfdJJHfpChuH5JE/3:P9jH2RBdJxTtA9UCAd3fMmG/
Threatray 2'222 similar samples on MalwareBazaar
TLSH B3459E1053DC9F20E3BC57F89910926067A9E546F658E37CFDBEA0C29F229A445DFB80
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: fairprice.com.sg
Sending IP: 89.44.9.105
From: NTUC <jane.doe@fairprice.com.sg>
Reply-To: NTUC <jane.doe@fairprise.com.sg>
Subject: NTUC Order
Attachment: NTUCOrder.GZ (contains "TR170965523454.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TR170965523454.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-18 08:06:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb1e31b0-086e-42d0-9c89-e4d2bc414cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112431/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/583427
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 07:00:30 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thikxzurz2r76dueml34zidetjjfa6qdhb55uj7jliql24vgwn5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
113a77824329e62d8a2268075f4e8afa9756a9e134d46e87a61618d7b426b9af
AgentTesla
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
AgentTesla
6b6a6cb45c75ffda98874ecb88f2fbc1ec1737222116967459117d6d8d36ecc9
AgentTesla
8e8e7ded0eaedda43532fa04b96252d50fe3a6d668a21a4aff051abbb74ac085
AgentTesla
9972434ebdd96cf98cbc8849f08d6ca3120e5cf2553b3416bc0fccc5396c74b5
AgentTesla
a9bb3e9f775ca73baaac71ef7e7b4a5d7c467aef99d3b8f34856f16dbb3afe26
AgentTesla
cdcc8531c42e3ede33c0ecbcb82f7a6e5445e959eee3796475258df830a18813
AgentTesla
dc8b8addeb256bdfb0eb82d09b54b57400deed315a727e331fe66ca59c965373
AgentTesla
e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0
AgentTesla
f3dd0364478f5e8db5e914033bf34cd7e0a1cc3a66698883a3798ef35f61a36c
AgentTesla
+ 2'212 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210118-9st9yh2xze/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035
MD5 hash:
fb169513679d349cb2a7e4121bacfd4a
SHA1 hash:
26619d7ce0a175b9fc4fbfd7f4b105050562924f
Link:
https://www.unpac.me/results/160b2440-dd14-4bf7-8707-5b0ef2c12473/
SH256 hash:
99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b
MD5 hash:
0e831ff3582b5a32a2880c1293a884d2
SHA1 hash:
c5c23c81be649eb4c3c918363af02fff94452a08
Link:
https://www.unpac.me/results/160b2440-dd14-4bf7-8707-5b0ef2c12473/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 85dd7442c7144b53ff9788a5d24e982406e4d2b1dd1896732b0613d2f73b4e34

AgentTesla

Executable exe 99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b

(this sample)

  
Dropped by
MD5 d42287bf85772876e1b2ea78cb70caac
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112431/
  
Dropped by
SHA256 85dd7442c7144b53ff9788a5d24e982406e4d2b1dd1896732b0613d2f73b4e34

Comments