MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b
SHA3-384 hash: 268c3e4e732ade8901864e2a40489200e94ed33818efe7091c114b460cf2fa580a1e7b4e3498a869601fecf4dbf7edc4
SHA1 hash: 26097f9e26d3200057e1ffb8900f54a4dcc6c028
MD5 hash: a858bbf3c43b86b91baae2941ca6c45c
humanhash: alabama-table-sad-kitten
File name:a858bbf3c43b86b91baae2941ca6c45c.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:752'640 bytes
First seen:2023-05-30 10:15:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:/7/llVG7CbAPUobAaf77d2o7u0PSvOz/Zic0O3kdID5b525TlBzQCMjpFjM5HXoX:RXG1UobAyPbus90JC56rFSptMJwri+t
Threatray 4'412 similar samples on MalwareBazaar
TLSH T19CF4230F563C866BC60F07FAE002955F03796C09BB49F7512EE93AF75BA2B4AD100E95
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 64d2d0ecccd4c4e6 (2 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a858bbf3c43b86b91baae2941ca6c45c.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 10:16:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6deaab90-53b3-4dc0-ba9a-d72d13d4eeab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393466/
Detection(s):
SecuriteInfo.com.Variant.Tedy.369182.28884.15655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6475cce46407f39ba8add5d5/reports/0f2c5e8c-a3c1-4404-abca-955aef198cc5/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97886d25-e083-40cb-a6cf-0dc29ce9341d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245105
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b/
Threat name:
Win32.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 10:16:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gbtnmgouxwxwefk6c3wwy6v7cglmhbnjeuxjip5ek4pd6ylt2fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09d70a9a22f7bf12c1a6354b1d90d426e1223576d27ba855f6f48d78bf508833
AgentTesla
107f5059b55ddfab8351c5369f43325f2d051aa41f5bbfe94a48ce577626a726
AgentTesla
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
AgentTesla
5404c10cf88a5d915b78fcc822cb3ba3139ad4ed9cdacbf6c82dd070c4e1bc4b
AgentTesla
6ff0433a9bb7d6a3a7dd345dbf1c12850ec13d3e72898815ed595c9605752dbe
AgentTesla
8921ed257002d7a54fe4e22f1192cfc11a0d1f15270619361aefa96164a992eb
AgentTesla
9f05a25d30b22c3d4a8da65f3ef034fc24ed35b97ed418f79d3af4def9f7ccdf
AgentTesla
a7880f86bd0bbb436dde37febb6168a0fbc51978378c0f5fd8f024d3c6487a7c
AgentTesla
c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea
AgentTesla
fb36ca37495933a6fdd5da7db3dc63e1eba950c54a2626e7fbcf520118a0b09e
AgentTesla
+ 4'402 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230530-masg3sgh95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1031c7ae843cb8cfa6c24a4db8bf72ea5ef80d551a9103e943953816a8eb6104
MD5 hash:
b6885d594f33ba02bfa961f45e0021e9
SHA1 hash:
d9ea89d3973190a3bb523a1c57fc17652fe140de
Link:
https://www.unpac.me/results/1cc05b43-fa1f-4608-a42a-d6d0c362dea2/
SH256 hash:
969dc0e9ad779cbf7dbaf1d48764aa77df2a0bd0837886191a33ec96656b02d2
MD5 hash:
2019b3ca7c27317acb7b8985476dc0e7
SHA1 hash:
89393fc0f59a94f5d0fed2a63c30e9e3357168a1
Link:
https://www.unpac.me/results/1cc05b43-fa1f-4608-a42a-d6d0c362dea2/
SH256 hash:
8d588e840facf0a7ad90b18eedf92d42aba91807e3b42ae4b35f1077b6acb222
MD5 hash:
b611caa104b200e1f2d77f11bb610348
SHA1 hash:
4f3e021da7976b787f57f62a5c4236c2f188c1ae
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/1cc05b43-fa1f-4608-a42a-d6d0c362dea2/
Parent samples :
f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b
a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57
SH256 hash:
0801e7085b297f1a952d8299a5f78bbe97158db5684dada00c07fc150c14c5d4
MD5 hash:
82cc8ed82b3f5a7e139df570ed53c8a7
SHA1 hash:
4806de3ca8ac137c696cf783dfdee499b2e134c9
Link:
https://www.unpac.me/results/1cc05b43-fa1f-4608-a42a-d6d0c362dea2/
SH256 hash:
f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b
MD5 hash:
a858bbf3c43b86b91baae2941ca6c45c
SHA1 hash:
26097f9e26d3200057e1ffb8900f54a4dcc6c028
Link:
https://www.unpac.me/results/1cc05b43-fa1f-4608-a42a-d6d0c362dea2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f98336b0cea5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2638384/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/393466/

Comments