MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e
SHA3-384 hash: 8346e194963a543d9b8a99c14bcb1390f912f7f99a4cafcf3f34422cf6ee275c8a65aecd6cce2f54464abffd5db7c6b4
SHA1 hash: 3da6ac379af8fef17b6108f6610af07edee30163
MD5 hash: 3532d8ab3600b59b2ddbec97094ef831
humanhash: mars-equal-september-foxtrot
File name:REVISED CONTRACT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:855'552 bytes
First seen:2023-04-26 17:51:38 UTC
Last seen:2023-05-13 22:56:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:g7/9WflU/9dlqGzq1ejQrMR6DaoLLeM1+kFqMKj5/A:8ylUdqGW1iCM+S9kQ9/
Threatray 566 similar samples on MalwareBazaar
TLSH T17805483C19BD263BC179D7A68FE4C827B154A8AF3121ED64A8D757A60346F1235C323E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
281
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REVISED CONTRACT.exe
Verdict:
Malicious activity
Analysis date:
2023-04-26 17:51:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f104dff-9ad6-42a8-b664-1684cb379304

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385104/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/644964c38615b5d32a534a1e/reports/8fe1a96d-7791-4f98-af62-8b72d16d52a7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e8e03ac-868c-418d-8617-9d67828bf881
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1221773
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854721 Sample: REVISED_CONTRACT.exe Startdate: 26/04/2023 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 7 REVISED_CONTRACT.exe 7 2->7         started        11 baVCPoYOaSVn.exe 4 2->11         started        process3 dnsIp4 36 C:\Users\user\AppData\...\baVCPoYOaSVn.exe, PE32 7->36 dropped 38 C:\Users\...\baVCPoYOaSVn.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp9992.tmp, XML 7->40 dropped 42 C:\Users\user\...\REVISED_CONTRACT.exe.log, ASCII 7->42 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 7->60 62 Adds a directory exclusion to Windows Defender 7->62 14 REVISED_CONTRACT.exe 4 7->14         started        18 powershell.exe 19 7->18         started        20 schtasks.exe 1 7->20         started        22 REVISED_CONTRACT.exe 7->22         started        44 192.168.2.1 unknown unknown 11->44 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 68 Injects a PE file into a foreign processes 11->68 24 baVCPoYOaSVn.exe 11->24         started        26 schtasks.exe 11->26         started        28 baVCPoYOaSVn.exe 11->28         started        file5 signatures6 process7 dnsIp8 46 mail.modelinfra.com 159.89.168.198, 49685, 49688, 587 DIGITALOCEAN-ASNUS United States 14->46 48 x1.i.lencr.org 14->48 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->70 72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal browser information (history, passwords, etc) 24->74 34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 09:26:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3eggdifbbvpgf67yei6bl7m3fyc2evbgfffwoejsq3rzqsfvii7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061be461e36480dff405e58d338c66f86d2e6c0cd95d7e13cf8b42ee7425375d
AgentTesla
1e712ef0a37d9e8d2f6ef512da2438ef05e073cde9ae6677858b9ebbd1c23b2b
AgentTesla
2736bb21fab5703708ab49c3f24660ff1e8f2fc8745ae19bc422f5e6aff5f5d8
AgentTesla
44a297e5ccf344c0422f4f80b2c490f2650bf44c142f131378b2eb6a6507bc9b
AgentTesla
60e955512319217b4acadcb5fe46bd70a1bcd078f2d556483f1f6be819cf182a
AgentTesla
a0fbf510a0ad55765026894b11a642401ba689147ac093aac30ddcb8d3f2988e
AgentTesla
a9b98a60cb56ec8b3b05c5ebe0656afb6f42a5cb296c8c4fb2dccc283a2fe082
AgentTesla
c2007efc856ef59747e1246b35cdf0ce25dc3748272a4ad54bea979ad34e55c4
AgentTesla
d4086b64b176925017dd2db176cb3754e172bcec944037e1f3ea53ce48c1303f
AgentTesla
e8bc1fa2b809ab8be04a697cde6ddd4bad7a9120c60b3793f76d5fcc17d7423e
AgentTesla
+ 556 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230426-wfp4ksba25/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c40d4b8cca23dca415c9582b1d6f4743a08aa820904ede3f9d49575dd52e12c1
MD5 hash:
c2a625ffd3a83db601ee317d306eca5e
SHA1 hash:
f6eb0aee8b8bb2302b6e05c18cc3a9f76a7e7e40
Link:
https://www.unpac.me/results/39518b70-97cf-46af-afaa-3075bba5e3fa/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/39518b70-97cf-46af-afaa-3075bba5e3fa/
SH256 hash:
3af0265816a895d074584c98e7ff6a93990fc0657faf84ddd959706640bd023d
MD5 hash:
6bb640a27431bef4c59d1956799540b4
SHA1 hash:
e9c99abb17c1cc43696663be8995045c6f97a63c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/39518b70-97cf-46af-afaa-3075bba5e3fa/
Parent samples :
d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e
dfb7a1be58446a935967d834e0374d948ed2a5506c6075343b0375614a4a6504
4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c
05a6e74beef92dc711c25b3b01565f9b1a36f08f914567e467e5a47dc2d1087f
SH256 hash:
58d2780bac07a53fa9ef0099c386ad23c2c5b83df99e18bbcca9895f829ef5d8
MD5 hash:
3a6ac846fbf56df68c3cb61cd18c7623
SHA1 hash:
e5b7f4e47b357f330b33330663ff5739a02d442f
Link:
https://www.unpac.me/results/39518b70-97cf-46af-afaa-3075bba5e3fa/
SH256 hash:
0599c2515d1c15d3d1671aecffa436f572c45d8ca4545fce89463bf04d9e9bc0
MD5 hash:
e1d27549bef25ce6fb75a6f961a51524
SHA1 hash:
dd978259a5168cf2239df4fe0a654a61b8ec788a
Link:
https://www.unpac.me/results/39518b70-97cf-46af-afaa-3075bba5e3fa/
SH256 hash:
d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e
MD5 hash:
3532d8ab3600b59b2ddbec97094ef831
SHA1 hash:
3da6ac379af8fef17b6108f6610af07edee30163
Link:
https://www.unpac.me/results/39518b70-97cf-46af-afaa-3075bba5e3fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/385104/

Comments