MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7
SHA3-384 hash: 14839dfa07ac046c40644cf73ec969f40c564368736ef58596698359c97b11641fa4a470300ed98c6b5252d9ec46bbb7
SHA1 hash: 319f1833848a98c976c1eb074af16a52ee4d1433
MD5 hash: dfc7cff14929dc6879d88a2c514bfef8
humanhash: charlie-georgia-michigan-white
File name:ENQUIRY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:583'680 bytes
First seen:2021-10-21 11:39:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:oRoK6Ibw8eGTSZVr7w4UhHsW+ahejlnvOviQr5whs8QVqJFTP:oPdbw8eGqVvwFhMtaheJvOau5whiq
Threatray 12'176 similar samples on MalwareBazaar
TLSH T16CC4CF76615AAE9AEF797FB8944067803FF47C339B2ED24DAD99709612F3510CE30881
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199075/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61715196db358dd15ecdad72/reports/390d0903-9488-406c-aacd-d7f93d0a4911/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8b5af58-4044-476d-a33e-86c55b68d269
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874524
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 506952 Sample: ENQUIRY.exe Startdate: 21/10/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 9 other signatures 2->35 7 ENQUIRY.exe 8 2->7         started        process3 file4 23 C:\Users\user\AppData\...\qhikTxSZJsELY.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...NQUIRY.exe.log, ASCII 7->25 dropped 37 Uses schtasks.exe or at.exe to add and modify task schedules 7->37 39 Injects a PE file into a foreign processes 7->39 11 ENQUIRY.exe 2 7->11         started        13 schtasks.exe 1 7->13         started        signatures5 process6 process7 15 dw20.exe 22 6 11->15         started        19 conhost.exe 13->19         started        dnsIp8 27 192.168.2.1 unknown unknown 15->27 21 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->21 dropped file9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 02:32:23 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyrjpefqu5x55wjbsq2apdrlve2jzvrw5zh2nrrt2b3zursma73q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20307784e2521eb5d902498d8c893d7c884e518c38d8659780019ad08fbd341b
AgentTesla
24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604
AgentTesla
4ec534a56242b9fce084489c530b3c148b5f88e139e98d06b630fe1404c09946
AgentTesla
5e02cafcb735f048e38347099086988b2ee9d5c09956f95257602d3a45fd6716
AgentTesla
9bca070ab37ea78134d5e9a5203521570bddd110e8ea8a620b702c71ecd89d54
AgentTesla
f7f953c1fe2a993d404b4dbd1356f8cf4017c265ea9dafa60f8beeaff0c0588a
AgentTesla
+ 12'166 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211021-nsvwlaaca7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c9be96945a093f74b82f26230c02be0e67f61bf5b0960949206269f8877bccc7
MD5 hash:
8def59c85a9cf49d5a043a29222c8ea8
SHA1 hash:
c11190976cbd7836e93abe798103ea4430386923
Link:
https://www.unpac.me/results/a5bad1dc-8313-43eb-b9c0-950dd5fe30fa/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/a5bad1dc-8313-43eb-b9c0-950dd5fe30fa/
SH256 hash:
f31378192fdae5d16e6eb1def825d928878594e876bf73b9d2e1e8d87e9ab35f
MD5 hash:
1f1dc36a2498d5c927c437e1967a5157
SHA1 hash:
3c14556886f5cc125e17c43697f004140cd84d16
Link:
https://www.unpac.me/results/a5bad1dc-8313-43eb-b9c0-950dd5fe30fa/
SH256 hash:
a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7
MD5 hash:
dfc7cff14929dc6879d88a2c514bfef8
SHA1 hash:
319f1833848a98c976c1eb074af16a52ee4d1433
Link:
https://www.unpac.me/results/a5bad1dc-8313-43eb-b9c0-950dd5fe30fa/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a6229790b0a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/199075/

Comments