MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d2952d220d3c8ca18a08d57de9a5d5c22a19d8bd4e6f26fb21ddc4e7c76a61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6d2952d220d3c8ca18a08d57de9a5d5c22a19d8bd4e6f26fb21ddc4e7c76a61
SHA3-384 hash: c53e0e73486b2593055c900f989222d29f46f46d1b7adad7ad3bdb5533fa608b915f10ed9b74e6384e0686607024289f
SHA1 hash: dc216cd6e61af15f262b2fa91c12ad66adef0852
MD5 hash: ebde85f2d253ffb7c4e7813ac60bccf4
humanhash: cat-batman-moon-uranus
File name:Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:771'072 bytes
First seen:2021-11-01 10:37:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:pqJFTPX60t84ErU4Sx2/PkYSvLTFkf+JW2oMHR/gUFFhXpv8LlP20IudAqKJdD:pqxt84Nk/xsLTF3JW2NxIaRq2ao
Threatray 12'466 similar samples on MalwareBazaar
TLSH T1D1F4F0731105BEA6CF5A2EFD691030A04DB8BC67272DD745AC5AB39920F7720CE58ACD
File icon (PE):PE icon
dhash icon 55962b4d4d69330e (6 x AgentTesla, 2 x Formbook)
Reporter pr0xylife
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-11-01 10:58:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13ffc71f-63c9-4b48-beff-d5a1f6fc250a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617ffa429a5a1e91c5d9f960/reports/5a2bcc6e-a2fc-4083-a828-fff85450d87b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7578660-0ad3-4ac1-8fc3-7bfba1e4bced
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880324
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512758 Sample: Inquiry PDA (S.S. Pacific E... Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 32 us2.smtp.mailhostbox.com 2->32 44 Found malware configuration 2->44 46 Yara detected AgentTesla 2->46 48 Yara detected AntiVM3 2->48 50 6 other signatures 2->50 7 Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe 3 2->7         started        11 WNRUXJ.exe 3 2->11         started        13 WNRUXJ.exe 2 2->13         started        signatures3 process4 file5 30 Inquiry PDA (S.S. ...ighten)_pdf.exe.log, ASCII 7->30 dropped 52 Injects a PE file into a foreign processes 7->52 15 Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe 2 9 7->15         started        20 Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe 7->20         started        54 Multi AV Scanner detection for dropped file 11->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->56 58 Machine Learning detection for dropped file 11->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->60 22 WNRUXJ.exe 2 11->22         started        24 WNRUXJ.exe 11->24         started        signatures6 process7 dnsIp8 34 us2.smtp.mailhostbox.com 208.91.199.224, 49832, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->34 26 C:\Users\user\AppData\Roaming\...\WNRUXJ.exe, PE32 15->26 dropped 28 C:\Users\user\...\WNRUXJ.exe:Zone.Identifier, ASCII 15->28 dropped 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->36 38 Moves itself to temp directory 15->38 40 Tries to steal Mail credentials (via file access) 15->40 42 4 other signatures 15->42 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d6d2952d220d3c8ca18a08d57de9a5d5c22a19d8bd4e6f26fb21ddc4e7c76a61/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 10:38:08 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23jjkljcbu6izimkbdkx32nf2xbcugoyxvhg6jx3eho4jz6hnjqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16546ba120d0a98d46a555fd902027b72df65375aa7e8b8f565e089c5c884315
AgentTesla
1e00993f9b487efe986bb97b3408fd6111d0983d29e86943c1deafc72ac7333f
AgentTesla
7353a3d45faaf458e6855490cc1972e8fae4b4fb3824e0931a963408754c4ea0
AgentTesla
bd2b74e08fad018b100e51f29b67beb001afac1b243e73f4180d22879d86c639
AgentTesla
d83b084a590b9b330fec3934eeb02a3db09368e706fc7bcb163e23b180643f38
AgentTesla
e4c595f1aa1c2546d1d7334362ae8905cdf2e634b1cc87d4d1c8880f5c029585
AgentTesla
e6337a7fb5d157e893b94b6c3c93b145c8f043fdf4ea2bacab8dfab7c3b30c2a
AgentTesla
f3e6dcfd4b79c28078de10a6e14385b58a69b73b79986cef7000e88501b7d3ae
AgentTesla
+ 12'456 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211101-mpdx8sedgl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1d3035c0715ca015ff772c106ca3b37fa4c534ce29701167331543721236a982
MD5 hash:
980f7cf8be7fc1f1be6304a3b02ebf4d
SHA1 hash:
d19860a7e121bd8de1c0962138759f8a3afbec98
Link:
https://www.unpac.me/results/3127b255-989e-4f12-bba4-dc318db2fdf6/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/3127b255-989e-4f12-bba4-dc318db2fdf6/
SH256 hash:
235cc05cba8784578dc1d748ace01e0de486ed8a4fb050293e9a23f238773b9a
MD5 hash:
189ad1a2e51db8e96d497158e09101ef
SHA1 hash:
272d8bdb495680f6d78c707496a8dd255137279c
Link:
https://www.unpac.me/results/3127b255-989e-4f12-bba4-dc318db2fdf6/
SH256 hash:
d6d2952d220d3c8ca18a08d57de9a5d5c22a19d8bd4e6f26fb21ddc4e7c76a61
MD5 hash:
ebde85f2d253ffb7c4e7813ac60bccf4
SHA1 hash:
dc216cd6e61af15f262b2fa91c12ad66adef0852
Link:
https://www.unpac.me/results/3127b255-989e-4f12-bba4-dc318db2fdf6/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d6d2952d220d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6d2952d220d3c8ca18a08d57de9a5d5c22a19d8bd4e6f26fb21ddc4e7c76a61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments