MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06798301d113e18d6e6ffe3321628911d604bbc65ff5b465986155abd29f09dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06798301d113e18d6e6ffe3321628911d604bbc65ff5b465986155abd29f09dc
SHA3-384 hash: b9fe3a319ee9273f795b29963f06088e8d86664dfc6bea6755a1f2386c951e26d0d1063b38e654bb38706fafed67c43a
SHA1 hash: 62487b332736b0a29584e625e43c6822e7c60422
MD5 hash: 53129cf39b6b180a20bef666da18f6ca
humanhash: georgia-blossom-steak-november
File name:53129cf39b6b180a20bef666da18f6ca
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'472 bytes
First seen:2021-07-22 07:10:28 UTC
Last seen:2021-07-22 13:04:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:vv+zXC2Dql7mgKP3JTpJ8XOqLccB3vGPPjBfhlgvXsRiakEKZvX+yP:+zXC2DAgP1pJ8+qLd3OP1fhafP
Threatray 7'820 similar samples on MalwareBazaar
TLSH T1FEF4F2193780AF4EC1AB8E7A84511C10EBF1E526570BFB876CD213FC198E79D8B13292
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER . 4500028602 .doc
Verdict:
Malicious activity
Analysis date:
2021-07-22 06:02:53 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/6d28c577-44e6-465e-8ae0-0c7a24198a0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173236/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37275856.29902.12184.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76a797b2-3b4a-4cac-946c-2e9c948dc566
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819970
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452381 Sample: uaXcqZQm1d Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 5 other signatures 2->34 7 uaXcqZQm1d.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\Roaming\mJKQTPgr.exe, PE32 7->20 dropped 22 C:\Users\...\mJKQTPgr.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp6D94.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\uaXcqZQm1d.exe.log, ASCII 7->26 dropped 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->38 40 Uses schtasks.exe or at.exe to add and modify task schedules 7->40 42 Injects a PE file into a foreign processes 7->42 11 uaXcqZQm1d.exe 2 7->11         started        14 schtasks.exe 1 7->14         started        16 uaXcqZQm1d.exe 7->16         started        signatures5 process6 signatures7 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->44 46 Tries to steal Mail credentials (via file access) 11->46 48 Tries to harvest and steal ftp login credentials 11->48 50 Tries to harvest and steal browser information (history, passwords, etc) 11->50 18 conhost.exe 14->18         started        process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06798301d113e18d6e6ffe3321628911d604bbc65ff5b465986155abd29f09dc/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 00:28:11 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
089c2e88733184ca2e648ccfe560f808b82962a83291023584ca69cc34d0957a
AgentTesla
542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def
AgentTesla
58bee6329b0740ddeb2191717620b272f3f088d5e9cfa105c2cd52a282aa5092
AgentTesla
73b77bdd8bc6a9970ee92c82221d492a3fa91db8c1ccd09c48fcf732c81f459f
AgentTesla
90f47fd06de01a77ccb2ab550f369454cd837bf5694707e96c636dfa0eec1b90
AgentTesla
952632c22f56687e11c3a36f9ebf8da92623b7b3df0ad5e76959af0c89fd3298
AgentTesla
a22a93aa201096c6ae9d68aa245093f3b922b90e31a529ce94bcdbd2c0507e86
AgentTesla
ad306f9b10c9cd26497ef01c1c941f4445db27befb24c07c5398f398f9f3ebaa
AgentTesla
c79c207fbde525a5b0aee8317bb5d3734b18a24f664501b57abc6eca3b41c01d
AgentTesla
cc88bd3a08611e1f813dc1a9885ca7cee62e0c6fba330d9f8dad89f01e319b2b
AgentTesla
+ 7'810 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210722-cyb5zcjmm2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
68335f4e4bdc99fc7c483a52980567d2f6b12019c9310b242ae0119c4bd13187
MD5 hash:
986a5908ffa3250b9e827ccd4db0e2de
SHA1 hash:
3a9e7192c0e20bf8f01cb6d2a0ec223c89c19792
Link:
https://www.unpac.me/results/de080500-97a6-4468-a099-e0efccb02ebf/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/de080500-97a6-4468-a099-e0efccb02ebf/
SH256 hash:
0e7d08b0699ed5995fdfa45d099226a74d928acc1c1609fe73879f81a5590466
MD5 hash:
bc895347ab70dc8b1e9b539d58869f9a
SHA1 hash:
9d9272ed254ffcaeb2aecd3c0ea52db5f79897c0
Link:
https://www.unpac.me/results/de080500-97a6-4468-a099-e0efccb02ebf/
SH256 hash:
4a7b6885d54768593e89adb7a017f284c6fe9061e43bfb97bd2d98bf0d07d1d8
MD5 hash:
87e4bcb75fd94d18a67fa139bdd09232
SHA1 hash:
a1596d41b44cfb776b76a444effd985e31766454
Link:
https://www.unpac.me/results/de080500-97a6-4468-a099-e0efccb02ebf/
SH256 hash:
06798301d113e18d6e6ffe3321628911d604bbc65ff5b465986155abd29f09dc
MD5 hash:
53129cf39b6b180a20bef666da18f6ca
SHA1 hash:
62487b332736b0a29584e625e43c6822e7c60422
Link:
https://www.unpac.me/results/de080500-97a6-4468-a099-e0efccb02ebf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06798301d113e18d6e6ffe3321628911d604bbc65ff5b465986155abd29f09dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 06798301d113e18d6e6ffe3321628911d604bbc65ff5b465986155abd29f09dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1472852/
Cape
Cape
https://www.capesandbox.com/analysis/173236/

Comments


Avatar
zbet commented on 2021-07-22 07:10:29 UTC

url : hxxp://sabaint.me/polanco/peso.exe