MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8
SHA3-384 hash: c9a6d830c2fb12d71b164c569fac1a8b0166b95ff63a0b97e96a7f4eba574d6acb40b0d56ffb5dc10e8ec6f6fdf5cf14
SHA1 hash: 79b9b9e2534bdc6e0d440416a5d306216abcfc6f
MD5 hash: 8c2bcfdcac85d19e90b472736ba3f28d
humanhash: eighteen-video-west-uncle
File name:z1DeclarationandFinalRelease_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'984 bytes
First seen:2023-06-20 12:11:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mb903YOXuPM7q6bpw4dcZda/igJny/AZWb6fZ2Dh4F2N+RxF8:mb903Ywzu4CZdOJZ22Z3RxF
Threatray 3'106 similar samples on MalwareBazaar
TLSH T18EF41214AA965B2BC05B0B785560F370E23C5ECAB712C68F5DCB7CCBBE967C90534A09
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2b2555676501612b (15 x AgentTesla, 3 x Loki, 2 x Neshta)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z1DeclarationandFinalRelease_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 12:13:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3fef0a7c-9052-49be-9541-329f703478fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400972/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2122.10027.26428.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64919793b453925d4072d0ed/reports/c91b3715-71cb-4e94-b72b-ecbec54b3d07/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/773c7dae-fa85-4bde-8176-85799fd37b4b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258185
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891202 Sample: z1DeclarationandFinalReleas... Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Sigma detected: Scheduled temp file as task from temp location 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 3 other signatures 2->78 7 z1DeclarationandFinalRelease_pdf.exe 7 2->7         started        11 ..exe 2->11         started        13 emXYkuzsC.exe 5 2->13         started        15 ..exe 2->15         started        process3 file4 50 C:\Users\user\AppData\Roaming\emXYkuzsC.exe, PE32 7->50 dropped 52 C:\Users\...\emXYkuzsC.exe:Zone.Identifier, ASCII 7->52 dropped 54 C:\Users\user\AppData\Local\...\tmp31CB.tmp, XML 7->54 dropped 56 z1DeclarationandFinalRelease_pdf.exe.log, ASCII 7->56 dropped 88 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->88 90 May check the online IP address of the machine 7->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 7->92 94 Adds a directory exclusion to Windows Defender 7->94 17 z1DeclarationandFinalRelease_pdf.exe 17 4 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        96 Multi AV Scanner detection for dropped file 11->96 98 Injects a PE file into a foreign processes 11->98 26 ..exe 11->26         started        28 schtasks.exe 11->28         started        30 ..exe 11->30         started        32 ..exe 11->32         started        34 emXYkuzsC.exe 13->34         started        36 schtasks.exe 1 13->36         started        signatures5 process6 dnsIp7 58 api4.ipify.org 173.231.16.76, 443, 49701, 49703 WEBNXUS United States 17->58 60 smtpout.us-phx.vox.secureserver.net 173.201.193.229, 49702, 49705, 49706 AS-26496-GO-DADDY-COM-LLCUS United States 17->60 66 3 other IPs or domains 17->66 46 C:\Users\user\AppData\Roaming\..exe, PE32 17->46 dropped 48 C:\Users\user\...\..exe:Zone.Identifier, ASCII 17->48 dropped 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->80 82 Tries to steal Mail credentials (via file / registry access) 17->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->84 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        62 104.237.62.211, 443, 49704 WEBNXUS United States 26->62 68 3 other IPs or domains 26->68 86 Tries to harvest and steal browser information (history, passwords, etc) 26->86 42 conhost.exe 28->42         started        64 192.168.2.1 unknown unknown 34->64 70 3 other IPs or domains 34->70 44 conhost.exe 36->44         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 01:17:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62amtdcbdkspaxholftua6dogq6uq5u2xrdargjbrzre6dl6xsua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
280f496ca58dc38705871bce43803a623ae40ec1f47fd52d0eb50d49740a0725
AgentTesla
37dc167da39f0b4322d8936d32185c2c99931b63284cc9edb230abd513dffbf1
AgentTesla
38a9f881eb28d8f75c2c21a9cb4de15e472866346c747c480e8e6ec485982067
AgentTesla
4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1
AgentTesla
6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b
AgentTesla
841c2906a20d94ec86b77f8521073f13981909c97a739a06f84a7bb9dc9cbe6b
AgentTesla
d964a65d39458176447fdb930e03e6534c19dcc556abde4cb522fa2aeb8289e8
AgentTesla
e33e4865fd5388cb8d3b67d1919d3ec2ee596463012327798fed93a2a282e4bb
AgentTesla
fc15e945d8f642f13960c48e212d2cbff3e9e3890cbac0b17ace14273cac0458
AgentTesla
+ 3'096 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230620-pc6htsda6t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bf30f7032a6e2fdd6a872718de569645dda2c9e734a4f90a77e5af9a58d75812
MD5 hash:
29432c0db5445ce74b8a1042234187af
SHA1 hash:
fdc1bce5c868fbaed48ff27b3cc73b752bc66e75
Link:
https://www.unpac.me/results/faa7e53c-29f6-4694-9e87-7a9b28229c10/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/faa7e53c-29f6-4694-9e87-7a9b28229c10/
SH256 hash:
f683c7cb4757b4fb059d7a80501788b80772f670357938b7884f536dfb7110c3
MD5 hash:
1ec5f2c3e4eeb79edaf29b7e72451f48
SHA1 hash:
8534584c953dc4a14f4a80f2882e8d0c71e9df46
Link:
https://www.unpac.me/results/faa7e53c-29f6-4694-9e87-7a9b28229c10/
SH256 hash:
4e2a3bbc92df38efe79d2ce2f450dd6530c1f592e4e55c056e9bcaaf11e0c999
MD5 hash:
684552d00fe45f1506deb41b70508f05
SHA1 hash:
7d1568bb878d3f40de0e6ffc369a1ad357caf234
Link:
https://www.unpac.me/results/faa7e53c-29f6-4694-9e87-7a9b28229c10/
SH256 hash:
b98735d34d7cea8f565b951107348802c272f3bd96542095d533a2046bf9294d
MD5 hash:
df80d2d962d7c44dcd2a8e30135ef716
SHA1 hash:
2b3b30fe6ac4f282b940cddb424f066424a61bf4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/faa7e53c-29f6-4694-9e87-7a9b28229c10/
Parent samples :
6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b
88762c51cbc4467dc5e5ba304d24eef77ecb63011af117529dde2a807ca0d2d1
f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8
SH256 hash:
f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8
MD5 hash:
8c2bcfdcac85d19e90b472736ba3f28d
SHA1 hash:
79b9b9e2534bdc6e0d440416a5d306216abcfc6f
Link:
https://www.unpac.me/results/faa7e53c-29f6-4694-9e87-7a9b28229c10/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f680c98c411a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400972/

Comments