MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967
SHA3-384 hash: 7f166d360cc5f8a2ebde3ceceefcaa73cb0987bdfda206858a6efecf045122a989cb941dff192d337cd343d8a591872c
SHA1 hash: 455b566e8ad812ba9de6348d83edd4b62ecfc8fb
MD5 hash: 503a9a09ff92476bf7581cae268b8b10
humanhash: fix-wolfram-oklahoma-hydrogen
File name:PDA Query - GGR-202754-1 HAPPY CLIPPER 1 ETA 29 AUG 23_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:747'008 bytes
First seen:2023-08-18 13:41:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:zJ23/gPrkUbmuXaO0DhLyPJAZGbUuWq7MbrepvYg+O9WsgKnt9VMigz:SwrkcaOiQBAMwFqgbqpvYFO9WsTjVI
Threatray 5'601 similar samples on MalwareBazaar
TLSH T1E6F4F150336C2F33D8799BF56011A8400BF67C5B61BADA8C8ED37AD72636F025A52D1B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PDA Query - GGR-202754-1 HAPPY CLIPPER 1 ETA 29 AUG 23_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-08-18 13:44:58 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/3dbbfa80-452e-4718-bce1-916dd879255e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443477/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64df752bb3ff67c5573c80bc/reports/4c708bc0-8961-47d8-b4e9-3656bdaff1fb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd3e2c8a-18da-43a3-9150-704c97a79d0e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1293417
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-18 06:11:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yinzxc75ikal5avl2oeqkgdn7k6nb4r7hfj3fws6d6wdaqtb7ftq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894
AgentTesla
1b16ab38f1808b6853077196891a181f1909607e522bc12535d3e39364055687
AgentTesla
332bd128b3b9a33e9d363b6a9578739d94471de4fe26d931bcff80219fcf4e9a
AgentTesla
36c15da245c3b9a2bc01bf408f5d9ee73f484d9a010a41a09a8ddf552eed7dc1
AgentTesla
42f8cd40a497fc10b8be5ce4e4888b943a34ec854b72fe960c35cdea9b51a50a
AgentTesla
8d83bca79f2bc2c8de276322813a9d775891c8445191f196c302f0965ba62ba3
AgentTesla
b964fd0b9facd76d7dd84b3491df66d51c5e95fd4385f47afd9764a72ebb939e
AgentTesla
f1fa63d7d7b5b3bdb889570006f8a7cc93f2cecd1db9c3e851d4762073e04113
AgentTesla
fb0533fddd270310cba6cd3a1cae5f23356a0a28cfdb85caf6dc0c41f8c19590
AgentTesla
+ 5'591 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230818-qznrzabe8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
179f41ad0100b795f231ff96de45be936650d04c0295c8f839ffbd0cfaa41633
MD5 hash:
24eadfbe29a19040ce879d81c6708515
SHA1 hash:
bd678c677667326e3170a6cc5b59e9838fe9d883
Link:
https://www.unpac.me/results/9ba966bd-d260-4e35-9f4e-a6992a612880/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/9ba966bd-d260-4e35-9f4e-a6992a612880/
SH256 hash:
5f42b6d6ec968a8294d26d99549841d2322dbc23efd6ca3b8ad3869f897689dd
MD5 hash:
53d319810ae0cd8564fc98e9fd9a3bf9
SHA1 hash:
92dd41995ef5654b9fb8b57e47f072c40713a2c5
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/9ba966bd-d260-4e35-9f4e-a6992a612880/
Parent samples :
1b16ab38f1808b6853077196891a181f1909607e522bc12535d3e39364055687
c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967
08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf
ce3a3c9f22255146152575aa50fc9f5f1ef3f8c96b9b94cd766301045f846612
246d6ffb502aa4b83300c5bb35e008e245ad36d243a83e6bdfee04eefdaac71e
eae8ee79f837443d3f1ca4a05375b801e6f12b5cc9b826312a59efbff650cbdb
0ef85406b6effa7a7ce0748cea4c755efcb8e8ba8cf3201ce8591b3c9acf51da
SH256 hash:
aa3670a577d4c6a9de6032190f2e147ca39d1a7b7cdaeba6b29205da945ba9f5
MD5 hash:
b2ba69c87d0423b3ea3e23e0784e8dbd
SHA1 hash:
0131a3bdd22a942b42310e1f9bfcba786d077959
Link:
https://www.unpac.me/results/9ba966bd-d260-4e35-9f4e-a6992a612880/
SH256 hash:
c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967
MD5 hash:
503a9a09ff92476bf7581cae268b8b10
SHA1 hash:
455b566e8ad812ba9de6348d83edd4b62ecfc8fb
Link:
https://www.unpac.me/results/9ba966bd-d260-4e35-9f4e-a6992a612880/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/443477/

Comments