MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 006b674eb40ca99b1cffb927d3a85964fd41d31922d3af14c2b0e4b10056af0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 006b674eb40ca99b1cffb927d3a85964fd41d31922d3af14c2b0e4b10056af0d
SHA3-384 hash: 492b9db7f66cb8981a2469f2709070a68a9aef983a1b9098680362a90b1f7634bbb8f77fa698de26eea464d516fd2b57
SHA1 hash: 4bfb4197f333c6a863235671a5c3132c1e560c09
MD5 hash: a9bdeb2175725def64e40c2dfc5ac66b
humanhash: six-eight-eighteen-stairway
File name:SecuriteInfo.com.Trojan.DownLoader27.59888.20061.30004
Download: download sample
Signature AgentTesla
Create hunting rule
File size:724'992 bytes
First seen:2022-06-21 05:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:/yPUPnB7xLYLmO7sn+WIMcJsI1Y8LPs6CITUo6AMpRFlCHmlkACv72ZOC9VyVy9c:qPUpemO7nMcJkqPs6CITUKMP3CHmLyqn
Threatray 18'598 similar samples on MalwareBazaar
TLSH T1A9F4F1F58FF8B8AAD15824777094A03C33E24C2EDC15D57ACA8BF65B34666C125E4E07
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281788/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader27.59888.20061.30004.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b1585208903778452c29a4/reports/fffa76ad-dd0d-4035-a432-1163cf6dce28/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4df58e9-eef2-46f5-bbdb-d6c6d8b714e8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1016819
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/006b674eb40ca99b1cffb927d3a85964fd41d31922d3af14c2b0e4b10056af0d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 02:50:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abvwotvubsuzwhh7xet5hkczmt6uduyzelj26fgcwdslcacwv4gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e3f86f3ad2e0856dee76ae1b4c7e2990f80927264d5cbd6b957a1208bd8fb91
AgentTesla
31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
AgentTesla
5d5dffaf41046231715971dee9add3f4c62a27c8ace0b4702b709e061a047cdb
AgentTesla
8cb67ee37e7ccd89e8263b6245a842004de8ca49dd5989a017deb110b00569e4
AgentTesla
8f5d108dd7c8d13e63443215be9a8734b4ff548be201e28f4a990bf120eec2a6
AgentTesla
a5d8d45cbd23356ba348b889e6055e7a114d84612f6bc20e829ee632269dc2cc
AgentTesla
be27ba6af4066cdac204c80a78fdd34c49934cd2a0f1ac7aba8d8b45e2b8d71f
AgentTesla
+ 18'588 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220621-f9fh8sbgfp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b76ac064f3bc57cae8ca165e4fc3905fa27480ec907c00b8d6fe3b8b33de654a
MD5 hash:
07e4f1eef038a36c40c4e57f13b68d13
SHA1 hash:
c636ed44fcae50581db586c5b69a6e5cfb8121a6
Link:
https://www.unpac.me/results/595674d6-22c9-433d-899b-be4cfa8a21b9/
SH256 hash:
6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e
MD5 hash:
7ce2d10bd0f02667bc0e1343d9ffc1c1
SHA1 hash:
c3a5b4e5721085022eb7bf0008b7e449f9369fcf
Link:
https://www.unpac.me/results/595674d6-22c9-433d-899b-be4cfa8a21b9/
SH256 hash:
6365d0a585d54163401266eb5820589cef31251ff1f71a2468d2261001f4b097
MD5 hash:
76a31aec0a538730780d1e972b5899ad
SHA1 hash:
b7f6554ed7198bceb5960d0be08873a1ef38e71b
Link:
https://www.unpac.me/results/595674d6-22c9-433d-899b-be4cfa8a21b9/
SH256 hash:
9a953582910d2d432740359c20e725ab7ea26ec74945c984b95d351e9e547943
MD5 hash:
d653c53bfe1fd4e7b0279b7cb0f80e72
SHA1 hash:
61d5c5f55a4a93afd96df1d4d5c084b45a72fd03
Link:
https://www.unpac.me/results/595674d6-22c9-433d-899b-be4cfa8a21b9/
SH256 hash:
006b674eb40ca99b1cffb927d3a85964fd41d31922d3af14c2b0e4b10056af0d
MD5 hash:
a9bdeb2175725def64e40c2dfc5ac66b
SHA1 hash:
4bfb4197f333c6a863235671a5c3132c1e560c09
Link:
https://www.unpac.me/results/595674d6-22c9-433d-899b-be4cfa8a21b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/006b674eb40ca99b1cffb927d3a85964fd41d31922d3af14c2b0e4b10056af0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281788/

Comments