MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06408113ecebbf603255fb28db23c3dce8feff08089fdf626ae2d59edd72cddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	06408113ecebbf603255fb28db23c3dce8feff08089fdf626ae2d59edd72cddc
SHA3-384 hash:	2b88f2ecfa09a64e1b347292f3384f20aa27605b05f31988db08d416fcad15dba18af910c12328ecc41c0e9d52b08e9f
SHA1 hash:	89fcedb4b9d04f169a1be54a8c18769f3a1ffb32
MD5 hash:	1d95f419f8d8d29f923fc62d18a1dea9
humanhash:	aspen-georgia-snake-louisiana
File name:	NLDDB-082-8232023.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	108'544 bytes
First seen:	2023-08-23 15:00:50 UTC
Last seen:	2023-09-04 14:07:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:LVX8QI8TCvziY+qhF8JcaVp73cMj9L2GWEFDpegNI6mlk7URKZdHFO6tVJs/hJys:JsgAFK7MgMOqu7E+bbVOwA
Threatray	5'592 similar samples on MalwareBazaar
TLSH	T1DAB31AAC778CCF27CB0DAB7844E5D290232580B67793E787AED851A01C527C99D19BCB
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

NLDDB-082-8232023.exe

Verdict:

Malicious activity

Analysis date:

2023-08-23 15:02:00 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/d786632e-a42e-494f-91d1-16db9da74a63

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444319/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.23662.11664.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

floxif lokibot packed virus

Link:

https://www.filescan.io/uploads/64e61f2eac089eb812449a98/reports/9ade76a4-d692-41cc-ad70-b6843bf58188/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/06408113ecebbf603255fb28db23c3dce8feff08089fdf626ae2d59edd72cddc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/34dca5d1-5721-4df8-bd86-af7c44f1cc24

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1295975

Signature

.NET source code contains potential unpacker

Creates multiple autostart registry keys

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: MSBuild connects to smtp port

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/06408113ecebbf603255fb28db23c3dce8feff08089fdf626ae2d59edd72cddc/

Threat name:

Win32.Trojan.Synder

Status:

Malicious

First seen:

2023-08-23 14:37:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 23 (65.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=azaice7m5o7wamsv7munwi6d3tup57yibcp56ytk4lkz5xlszxoa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

18882d60079bbd389595e9b68042d1dae0074c21d90d90459cdf16aeac81b492

AgentTesla

33b67c48b82d100f089d7b7bce9ff0a70321ba7fe05ba40e17eece260d3bfa2c

AgentTesla

40c36e5d6cec1bac32779ed8e2e2dceceae01a70115a23d3b3d32e9c56db86b3

AgentTesla

5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108

AgentTesla

5ea4e5a7bf4eea3fc6bc09fddcda1844dc29481429fe05e5d4f65776f51a5a8e

AgentTesla

6eefdf2b638055093eef90cee1a6ebec2a2b238daf74576fef0e8eca6a02f2af

AgentTesla

6f4954a23f51c48f450992f809848da3a8bb5c1d7c4bc262332fa2507f1a1cc9

AgentTesla

e1fae54e9fb4d1c3d42119a980b7992cbadfda5c7051de61a2d1cef9d251c173

AgentTesla

f2a228803ecd97cb21207b13024d38b890aac02dcbe04fb2ec74a10550bc1589

AgentTesla

+ 5'582 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230823-sdvz9sed7x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

06408113ecebbf603255fb28db23c3dce8feff08089fdf626ae2d59edd72cddc

MD5 hash:

1d95f419f8d8d29f923fc62d18a1dea9

SHA1 hash:

89fcedb4b9d04f169a1be54a8c18769f3a1ffb32

Link:

https://www.unpac.me/results/fe7b7a1a-738d-4f00-a00e-6f97c5bd0ef0/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/06408113eceb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/06408113ecebbf603255fb28db23c3dce8feff08089fdf626ae2d59edd72cddc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/444319/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample