MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590
SHA3-384 hash:	f3f5f4e379308e29d058eb317554e058a48fbd8ef0c90babcc1641ab808e569e6fff537238b68116a5a7d159a13a2628
SHA1 hash:	c2c2f3b9976472018f9c0340737a53e47633d3a6
MD5 hash:	1f8bedc7efa069ec4a11ae5806440b79
humanhash:	potato-washington-cup-summer
File name:	SecuriteInfo.com.Win32.TrojanX-gen.6911.387
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	602'112 bytes
First seen:	2023-11-02 04:17:47 UTC
Last seen:	2023-11-02 15:59:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:7Gjfn3Q0R8VRZdskO64FNj16yxJb1bgWRu0HfDFqWXXn2xL/c9WQ66C:7G73QFR39O6s/6kbgWRuafZlkY9r6h
TLSH	T109D423283B59C857C61A7D3C60EA2EC28733D1967D5F7A6A6CEF500F9462E036D90731
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	38147262d6cca422 (9 x AgentTesla, 2 x Formbook, 1 x Loki)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

418

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/457744/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.TrojanX-gen.6911.387.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/654323036be5439aa5ce0cf6/reports/b9faaf28-857f-4e6f-a1f8-455f02475736/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/3d9c71e7-7052-4a71-a3c2-b71b922b2f81

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1335817

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-02 01:19:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=azvyb4ldo5g7pgr7hws7z2rh7unsxdw4ktncx2ikzjnvhk7aywia._file

Verdict:

malicious

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231102-ewybfshf63/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

73ecbf5d28f40afb3fdbd172436598acadda63f6980b1b894bb845273ec38d2b

MD5 hash:

127a3bc2fdebb453fd77a702f0914691

SHA1 hash:

ed805e37c73300d47a43cb61f2147f9f4efadca9

Link:

https://www.unpac.me/results/7ac16de4-d5bf-448d-a057-cb0453329dcd/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/7ac16de4-d5bf-448d-a057-cb0453329dcd/

SH256 hash:

99cf672bb5efbefd6a013fbcb95ee30c3cf66265e1aedc8bdd81f50cbe9ef449

MD5 hash:

0c74f56fe4f499c658c3962f436c99d4

SHA1 hash:

862a7ee2704f1cd349295f45a22ccd1f7b9c94ec

Detections:

AgentTesla

win_agent_tesla_g2

Link:

https://www.unpac.me/results/7ac16de4-d5bf-448d-a057-cb0453329dcd/

Parent samples :

066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590
116471f0d1acaf2e16533a66e0f53eb4c281e5a58a20533724ee6eab2a355f8f
704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9
1c1ffe1a97f66ee3f36058ba41beda34fe52b2a4ff3e10dbf487d3ead8ca8432

SH256 hash:

2fc6e7a93e0fbed4e6ca48c98af13c7339db7bff52a1bdce39b1c83c8e453878

MD5 hash:

af053f732b77a9c89118b0e73d2dd656

SHA1 hash:

64b34d32f5dca8ec21ffeceebe6d6c9dfc562c4d

Link:

https://www.unpac.me/results/7ac16de4-d5bf-448d-a057-cb0453329dcd/

SH256 hash:

066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590

MD5 hash:

1f8bedc7efa069ec4a11ae5806440b79

SHA1 hash:

c2c2f3b9976472018f9c0340737a53e47633d3a6

Link:

https://www.unpac.me/results/7ac16de4-d5bf-448d-a057-cb0453329dcd/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/066b80f16377/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/457744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample