MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbba7dd4355342a19336aba7d468ecbdfb0d730287e8f8f28ed88ba445bab2fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbba7dd4355342a19336aba7d468ecbdfb0d730287e8f8f28ed88ba445bab2fc
SHA3-384 hash: b226e68c67778694f747fbdab318dd5bf94402c4bc36100441e599cfd9f786df29c57cd6b90a6cdff63d6afe99ee04ff
SHA1 hash: 69aca0adc727ab35be243a20e14449135dc49a8e
MD5 hash: 7b5acb7ccbf4001ab92104941d9c3d20
humanhash: fourteen-fillet-twelve-six
File name:LINE-MR-CI-A-006_Analyzer System.xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:483'840 bytes
First seen:2021-11-18 12:13:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:hcUEeLhhAdIXlI555o0KjZ5VDZEJzun/K:txA55ZKjZ9EQ/
Threatray 13'462 similar samples on MalwareBazaar
TLSH T1C0A47FBC7A414A72FD1ED170AD510AC8BB670B036280BA9657FB15CA874F0F76E45CCA
File icon (PE):PE icon
dhash icon f02b6971335d0bd2 (1 x AgentTesla)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LINE-MR-CI-A-006_Analyzer System.xls.exe
Verdict:
No threats detected
Analysis date:
2021-11-18 12:21:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd397d98-18b4-40e8-bbcb-f75936e95c59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Running batch commands
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated packed stealer
Link:
https://www.filescan.io/uploads/6196438e4912a8c920a28852/reports/39d90096-f8fc-4851-8011-8696f4effcd8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b02176a4-6b03-4925-bfea-fc85ab7bed93
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891928
Signature
.NET source code contains very large array initializations
Binary or sample is protected by dotNetProtector
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524401 Sample: LINE-MR-CI-A-006_Analyzer S... Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected AgentTesla 2->48 50 7 other signatures 2->50 7 llm.exe 2 2->7         started        10 LINE-MR-CI-A-006_Analyzer System.xls.exe 3 2->10         started        12 llm.exe 2 2->12         started        process3 signatures4 52 Multi AV Scanner detection for dropped file 7->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Machine Learning detection for dropped file 7->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->58 14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 llm.exe 2 7->18         started        60 Injects a PE file into a foreign processes 10->60 20 cmd.exe 3 10->20         started        23 cmd.exe 1 10->23         started        26 LINE-MR-CI-A-006_Analyzer System.xls.exe 2 10->26         started        process5 file6 28 conhost.exe 14->28         started        30 schtasks.exe 1 14->30         started        32 conhost.exe 16->32         started        40 C:\Users\user\AppData\Roaming\llm\llm.exe, PE32 20->40 dropped 42 C:\Users\user\...\llm.exe:Zone.Identifier, ASCII 20->42 dropped 34 conhost.exe 20->34         started        62 Uses schtasks.exe or at.exe to add and modify task schedules 23->62 36 conhost.exe 23->36         started        38 schtasks.exe 1 23->38         started        signatures7 process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dbba7dd4355342a19336aba7d468ecbdfb0d730287e8f8f28ed88ba445bab2fc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 03:53:26 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3o5h3vbvknbkdezwvot5i2hmxx5q24ycq7upr4uo3cf2irn2wl6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
531284168c3d5dee90d9d45b762d7e3b0fb409a670efcf61b378df7677d58b55
AgentTesla
6fe626105e92733a8c3119e1636c72daa63ffa0fde2407c654c2f9ffe3f77ae7
AgentTesla
7a8e89beb8fa4a647a23d499115ff58be5246fe23160df7a404bb42610326d26
AgentTesla
a821f6915c6407fe0347c376b15a83f7c63d253d7686040855c0e24ad0b57a5a
AgentTesla
aa16e563346384cfcb7fbd83727cce3dfffa7ae31ee3581671ba3d57a5e21829
AgentTesla
cad70669903576a958ddeca091837210a4dd5ff769da7ad1d50a31997850c705
AgentTesla
e707dd6595699737730f53eedf41f814e446c35faf7e83e42d466fafb090eb54
AgentTesla
+ 13'452 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211118-peb21afhe7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
aef96b332ef7d16be58409be9ac8a84b06ddd4dde4b17dde4a8e029c8cfd0a51
MD5 hash:
ab2d3f35ad8bfb5a6e26c29f7fdaeb42
SHA1 hash:
d95182d76d1bd4c4800ec3b7ba934f60f5f93157
Link:
https://www.unpac.me/results/62a7dffe-1638-4f36-98f2-cad0f0a40e7d/
SH256 hash:
dbba7dd4355342a19336aba7d468ecbdfb0d730287e8f8f28ed88ba445bab2fc
MD5 hash:
7b5acb7ccbf4001ab92104941d9c3d20
SHA1 hash:
69aca0adc727ab35be243a20e14449135dc49a8e
Link:
https://www.unpac.me/results/62a7dffe-1638-4f36-98f2-cad0f0a40e7d/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dbba7dd43553/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbba7dd4355342a19336aba7d468ecbdfb0d730287e8f8f28ed88ba445bab2fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207224/

Comments