MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 decea99e89d160b5656fdc941441eae35a1f81f32d423f7d444703944c3f9f98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: decea99e89d160b5656fdc941441eae35a1f81f32d423f7d444703944c3f9f98
SHA3-384 hash: dbbc58608978d28e28d59c7ea78360f121691a5345502718079d85a8b655f1726719275430580ab4b009433bcdbacdcc
SHA1 hash: a6264679c3a5b2c84809bfaec6ad86049e79e583
MD5 hash: b3c1c45ef044c93da03c54fd8fe318fb
humanhash: oxygen-california-bravo-timing
File name:QUOTATION REQUEST.exe.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'766'400 bytes
First seen:2021-09-28 13:22:19 UTC
Last seen:2021-09-29 05:03:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:OmzIwc6jVhmonXRSfOdkschug3UI6u/1q:OmUwc6jVhmonXRSF1huDIm
Threatray 10'390 similar samples on MalwareBazaar
TLSH T1FD8561254E1686F7C3EEC638D05C4A9EDAF2AC877660CE1DD881BAC712B770BD24845D
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b3c1c45ef044c93da03c54fd8fe318fb
Verdict:
Malicious activity
Analysis date:
2021-09-28 12:29:01 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/61549af8-51df-4ecb-aa46-c81aa1cddd8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1037-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5042006b-1372-490c-8c97-37654617f60f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859876
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492311 Sample: QUOTATION REQUEST.exe.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 38 mail.atharvashipping.co 2->38 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 8 other signatures 2->54 8 QUOTATION REQUEST.exe.exe 6 2->8         started        12 tKZVPq.exe 2 2->12         started        14 tKZVPq.exe 1 2->14         started        signatures3 process4 file5 32 C:\Users\user\AppData\Roaming\LQfoZIOVQ.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmp417F.tmp, XML 8->34 dropped 36 C:\Users\...\QUOTATION REQUEST.exe.exe.log, ASCII 8->36 dropped 56 Writes to foreign memory regions 8->56 58 Injects a PE file into a foreign processes 8->58 16 RegSvcs.exe 2 4 8->16         started        20 schtasks.exe 1 8->20         started        22 conhost.exe 12->22         started        24 conhost.exe 14->24         started        signatures6 process7 file8 28 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 16->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 16->30 dropped 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->42 44 Modifies the hosts file 16->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->46 26 conhost.exe 20->26         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/decea99e89d160b5656fdc941441eae35a1f81f32d423f7d444703944c3f9f98/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 11:26:51 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=33hkthuj2fqlkzlp3skbiqpk4nnb7aptfvbd67kei4bzitb7t6ma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12f108fd2c26d301f44ba20cc6857a5bfe0330e72d1a356051b2f8e968c8214d
AgentTesla
4fa37c31a5207940aa9e0d00fc393f91532e6da3a7dcabba9ab902e33a14afbe
AgentTesla
5ce37eda5b443fa4aba2f5152b0856ef9c3341641ac3c8e7750088301220c6d5
AgentTesla
669e6bcb89355a0e4e293c60f3afd47c671f0d01e7cab9fe00fe48b7e878cf90
AgentTesla
6f871f3642191d04e4fe20f022f738d89b3ad90b531cef6adde91d10f257431d
AgentTesla
7fb4a26d9f2c3a08c69d7f5838b7f88d8c6f31ab2aa69b130b150449baaea7ad
AgentTesla
877a10d92f5b06000711b96af3b0705ff13494b7eb38804adcf3f207457cf51a
AgentTesla
9d393dc3fda68914e201012280b9eed4fd76c0dd077817c83c9e05cdf5d3cab8
AgentTesla
ad2fa7de2b185433a3cdc8af606b887bbcf831d30286596ca929f9cae6d516cc
AgentTesla
+ 10'380 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210928-qms6xscbgm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
850f6d50afe5343255ac0a273ccf11f099649d9b0966a1caaa2c4ed4feada2df
MD5 hash:
94bcafb678537ec643f7d1c8002f06c2
SHA1 hash:
ef2cce9ece6897e66c839a7f1821494f31f94f34
Link:
https://www.unpac.me/results/27f89a69-1cfc-4c42-872c-1b3d7ba9f195/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/27f89a69-1cfc-4c42-872c-1b3d7ba9f195/
SH256 hash:
ee4cbec8e3471c74a120c1d2393bca34c550eaeda8bd78dcdbbc001cea2bcc45
MD5 hash:
df63202beb37495e9c12955690161210
SHA1 hash:
1b64408cdffe1e14102525ac71896bc0adbccd42
Link:
https://www.unpac.me/results/27f89a69-1cfc-4c42-872c-1b3d7ba9f195/
SH256 hash:
decea99e89d160b5656fdc941441eae35a1f81f32d423f7d444703944c3f9f98
MD5 hash:
b3c1c45ef044c93da03c54fd8fe318fb
SHA1 hash:
a6264679c3a5b2c84809bfaec6ad86049e79e583
Link:
https://www.unpac.me/results/27f89a69-1cfc-4c42-872c-1b3d7ba9f195/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/decea99e89d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/decea99e89d160b5656fdc941441eae35a1f81f32d423f7d444703944c3f9f98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dridex_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe decea99e89d160b5656fdc941441eae35a1f81f32d423f7d444703944c3f9f98

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment

Comments