MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455
SHA3-384 hash: 0a92405c39bf375663c48513b20fd2f04bd517e9a95b1154a33e9d89d2b7820031525206e7281a734425e67f09e0f4d0
SHA1 hash: a34654bba5b0e60a75eab60ba490ad0344ad0be9
MD5 hash: 16f3c95d1f1486d0081ed5f793687364
humanhash: sink-alaska-chicken-nuts
File name:요청의 건 사양.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:653'824 bytes
First seen:2023-08-08 07:01:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8JUUgdp2rnIgU0sE14sNDExngp7KzAouSVUXbwJFmhVYy:K3gdpiwm40ig0MouuUXbqmhGy
Threatray 5'563 similar samples on MalwareBazaar
TLSH T1ABD4221C689CD749EE6D07FA292C507903B2374E6471E3AC8EA16DF821A6F0B4E11F57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1000107171100000 (8 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
요청의 건 사양.exe
Verdict:
No threats detected
Analysis date:
2023-08-08 07:10:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7331f73f-77d1-42e0-b233-f5d4c2c4d701

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441220/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1995.17040.27511.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Gathering data
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce1d335c-8ac4-4787-b667-26d5b922996d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287478
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 02:47:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=thtwzkl4otvj5d7bcksfvchu7vvgqtg2rwdgnx7cbxbo55gwcrkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17ed43b0f9c5412245b4b1f37c185f7061c0eb3d0ae8af583bd25d7209dce8d9
AgentTesla
1b91aa318e9c011abed18662e8c577ddcb12499de26e2fd19bfb4a4ea81f7450
AgentTesla
395c0eed15d4b5605921f94d489c4dad2edc8fdc816d278e3065d2baa8db3607
AgentTesla
5167b917426b8435d81522f885966f00cbf7f5b896e2a6b18696bb0f1194756c
AgentTesla
60c5ef3af7a3b790a403a31630ce8c27a43d21727823f6e010cbbdf2ea0e0a35
AgentTesla
974ca7ad435352579a6080a0437db8fb96a3cc0627799820cbe3aac2fd0a6a0f
AgentTesla
986cef185bba0f14257b360fc1488c9cf9bd3eefc66d3cf4766e99ed0217550a
AgentTesla
e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
AgentTesla
+ 5'553 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230808-htsjzabb38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
ac47771ea154a91d8dd60b3fee67c41e860c5d8f1ca4a482f451e2500612b687
MD5 hash:
43146ddd7b5f3a832c1b6afa17927b0d
SHA1 hash:
c7c21310eb9eac899db0a9cc1109ec2ac656ec5b
Link:
https://www.unpac.me/results/1b8007a2-0dff-4806-ae39-39a0ade035d2/
SH256 hash:
1d4ef92940095ce5abd862ddf54fc5b5223e08dd96c0387c2bd2210f25e92963
MD5 hash:
f9337ea20e5973c9376b8ff35804e35e
SHA1 hash:
b6713a3f755af6fc8342cd11c08e67dc48af5751
Link:
https://www.unpac.me/results/1b8007a2-0dff-4806-ae39-39a0ade035d2/
SH256 hash:
0862d70797df82baee3cb640bf391f5ab4b099b75a7e3ab455251af232557a6d
MD5 hash:
b9a23c7ec6a33d3f4bfd3a3fe8384745
SHA1 hash:
86c9b765f72b87660cdcacc56702d970e5d17051
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/1b8007a2-0dff-4806-ae39-39a0ade035d2/
Parent samples :
5167b917426b8435d81522f885966f00cbf7f5b896e2a6b18696bb0f1194756c
99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455
SH256 hash:
acb4f2181a20567f3a024b4919e95a204633c49dd5fa694e73b2c508b2517f62
MD5 hash:
54382de0119d4daa02ec3edd0312168d
SHA1 hash:
0451e80a80e731f260afd2e7c60d9d79069b0a3b
Link:
https://www.unpac.me/results/1b8007a2-0dff-4806-ae39-39a0ade035d2/
SH256 hash:
99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455
MD5 hash:
16f3c95d1f1486d0081ed5f793687364
SHA1 hash:
a34654bba5b0e60a75eab60ba490ad0344ad0be9
Link:
https://www.unpac.me/results/1b8007a2-0dff-4806-ae39-39a0ade035d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441220/

Comments