MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6b99294abd7ed56399d7670f2f5c5d7dbad4a13f8dcb02997d36799925e3209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6b99294abd7ed56399d7670f2f5c5d7dbad4a13f8dcb02997d36799925e3209
SHA3-384 hash: be8608d2d3b13807ac0d93c333786e7d24d15415dae3ccb7865f21951fd350af424d4826021e36b2de0450d4118eb3f8
SHA1 hash: 304c381e2e433f78d29b6801c1bff2679eecffde
MD5 hash: 56202b1bf89b512d4376043d10d1cb76
humanhash: pennsylvania-quiet-montana-fourteen
File name:NEW PO 3434.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:751'616 bytes
First seen:2021-08-31 05:16:51 UTC
Last seen:2021-09-05 05:41:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:v1gCGI9f8dQ/BuuJoUbbSbqGUCqu/d7DGRhRz:NgCGI9kO/BRG/bqGUCFgRHz
Threatray 9'174 similar samples on MalwareBazaar
TLSH T106F42D7F19BDA2279175C6F58BE78827F0108B6F3110692476D347264322A7AB4F336E
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW PO 3434.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-31 05:18:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b5548ca3-d1a8-4ba4-9cea-6bbbacad9b20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183941/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93d77cb1-de24-4a31-9780-472a7fe1883c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842249
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6b99294abd7ed56399d7670f2f5c5d7dbad4a13f8dcb02997d36799925e3209/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 02:03:42 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=224zfffl27wvmom5ozypf5of27n22sqt7dolakmx2ntztes6gieq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b4d3e69b4e2e533522d48f27a0137e34b92b01e36d348c12f0df4371ed7d573
AgentTesla
4ce344180332c420d2c2340151e359e516435dd993276ee0b7a351c3de5664b5
AgentTesla
80a5971229dd01d3b78272dae553361c8f9d875b8e274ddbd00753c0e50dd65e
AgentTesla
ab48ca4d8572974eb4cadc99ff0e430d62576dce2078796670f735101957c516
AgentTesla
b196d74012b2af1b9e67fc11dd4b85d3010bc7ef892c7232fa9228bb0d38972c
AgentTesla
c368d46d339548363e8c54693797b04d8aa1e82a9b687ac4305f550e36781d95
AgentTesla
c69aa221ec1df4acc67aac0fd7a1e7dcefa181f496b21839576343fd7fa8fb8d
AgentTesla
c85ab5bd7344f3677a769235b13aa14bd7b0d93a61684266abf6596243f9728d
AgentTesla
e71703a89fb65868f5daf7517bdd13d16ad09fc7f9a7b3bf4a65fa67844c4b1b
AgentTesla
fab0db0c780f0c6699b1acd564580dded6fb1857c61093d732da3bde480cd655
AgentTesla
+ 9'164 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210831-c5t7wpsthn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5434a3b1adf209cc3ea24895fe82ee05c914d7aae5c856771820a2d406545f8b
MD5 hash:
a184d2e5771436efb537bed5965fe481
SHA1 hash:
d27edfd35f6ff09d864b9be0f622008bf1fb3e0f
Link:
https://www.unpac.me/results/6bfc0237-b790-424f-92ec-42390af833ed/
SH256 hash:
019b2ab61b52e5a20fba16876f99c0cf4b502819180a6cf8eae3b106875f3f59
MD5 hash:
4135ceb4cec8931aff25c427859c65c9
SHA1 hash:
68c12d9a96a39aeaf4cca71df188e7ea48ddab41
Link:
https://www.unpac.me/results/6bfc0237-b790-424f-92ec-42390af833ed/
SH256 hash:
81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c
MD5 hash:
bae511742374b721136acaa03b0c1fa0
SHA1 hash:
215c50455b01a78ea173bbb034ddbe4b452ea734
Link:
https://www.unpac.me/results/6bfc0237-b790-424f-92ec-42390af833ed/
SH256 hash:
d6b99294abd7ed56399d7670f2f5c5d7dbad4a13f8dcb02997d36799925e3209
MD5 hash:
56202b1bf89b512d4376043d10d1cb76
SHA1 hash:
304c381e2e433f78d29b6801c1bff2679eecffde
Link:
https://www.unpac.me/results/6bfc0237-b790-424f-92ec-42390af833ed/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d6b99294abd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6b99294abd7ed56399d7670f2f5c5d7dbad4a13f8dcb02997d36799925e3209

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d6b99294abd7ed56399d7670f2f5c5d7dbad4a13f8dcb02997d36799925e3209

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/183941/

Comments