MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06bc9d1d35aaf5936952229ee7aa9bda01c1804118dd29b28a260f241b1724a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06bc9d1d35aaf5936952229ee7aa9bda01c1804118dd29b28a260f241b1724a8
SHA3-384 hash: 905d733a61a4f59418b24124ac0a274fa35b1284dcfd9f36229ae1a21169e2a257c0d43c99de7a5e7d1c773e43cef6a7
SHA1 hash: f627731c1b0277e31d3969ab2c6fedfad8bf941a
MD5 hash: 3ab45f980ca589bdbfd9762e11162e38
humanhash: seventeen-minnesota-hotel-april
File name:Payment advice copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:478'208 bytes
First seen:2021-10-19 05:41:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:2VKqp4mTGFREpHMrU56be5JJ8h+yVWNFliaa11f:2z4OHCEcefJ8xWNqd
Threatray 12'020 similar samples on MalwareBazaar
TLSH T1DFA4E102B5608F22D8F403F8903C946747756D2B4521E29A9E65BDCF3E7ABC2452EF27
File icon (PE):PE icon
dhash icon 0303010903010301 (2 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198379/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.17696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/063ef68b-d51a-4b09-8f5e-9c3073b0cf5a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872831
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505258 Sample: Payment advice copy.exe Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 20 Found malware configuration 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected AgentTesla 2->24 26 9 other signatures 2->26 7 Payment advice copy.exe 7 2->7         started        process3 file4 16 C:\Users\user\...\Payment advice copy.exe.log, ASCII 7->16 dropped 18 C:\Users\user\AppData\...\RPiAdZKXsGonm.exe, PE32 7->18 dropped 10 schtasks.exe 1 7->10         started        12 Payment advice copy.exe 2 7->12         started        process5 process6 14 conhost.exe 10->14         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06bc9d1d35aaf5936952229ee7aa9bda01c1804118dd29b28a260f241b1724a8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 05:42:09 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a26j2hjvvl2zg2ksekpopku33ia4dacbddostmukeyhsigyxesua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
112f248bd983696a69465381b2ddadd26bb41419c649b54afd83db67bef21e37
AgentTesla
301ce03dd4b568332c1540034f427f1ec8b27061aef01bebb702c9da41755ebe
AgentTesla
57237e2f22f1c26b4d77c3b4d66537cc48a03980582100eda2162a78b9a04ce9
AgentTesla
5a3fa956c8c6f4c56393717e712e7ce7a9876274388257361b4ce4196c190330
AgentTesla
7beacc03c7e9d87b052a52f5b7dd889b581eae833a3d2bfb6cb29a2c68944727
AgentTesla
996c7d7177a30556d65872fdff745dd5adcfd6742dea6f71318e8cbc7d4cca26
AgentTesla
ad85d8f9cafa414d61158057243958855cd0c2cc4ee3dc2911f3e9e958d8edd7
AgentTesla
cb145909667bd181409f1e14b6b2fd00ec9f8894ffaba82bd2b1888065e6a22a
AgentTesla
cc142b7644620489d2089420393e993da44646556e480d3351731abbc39be90f
AgentTesla
eb12f5ac4c8669a097af19e970c05103b43e542a4ad162401c68acef25ff8b5c
AgentTesla
+ 12'010 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211019-gd2x2afcd8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
06bc9d1d35aaf5936952229ee7aa9bda01c1804118dd29b28a260f241b1724a8
MD5 hash:
3ab45f980ca589bdbfd9762e11162e38
SHA1 hash:
f627731c1b0277e31d3969ab2c6fedfad8bf941a
Link:
https://www.unpac.me/results/05fbc1d6-abc2-4f18-b563-afb092e759e7/
SH256 hash:
7b4ba24781e21b310e2749bc2f7a80b9670a4198a54d26e42079a6a1c1be6ae7
MD5 hash:
7b77d210bf6b00fd8ee8187198852052
SHA1 hash:
7f78d6294a269349fc9a49ad3c8ccb3c3d2665b4
Link:
https://www.unpac.me/results/05fbc1d6-abc2-4f18-b563-afb092e759e7/
SH256 hash:
c11ee3e34f0000a75376868adf1e15babf07a2f3eeee016743ddee631a160f81
MD5 hash:
6046208c9312e0e10caa75645bf50478
SHA1 hash:
60c6e3c1d5ed363c6211dad368ac8a09a11b93c2
Link:
https://www.unpac.me/results/05fbc1d6-abc2-4f18-b563-afb092e759e7/
SH256 hash:
a9bf0f7990b3a132b42e988ae2256c6a06207c33492f850cca1d48e22f0b5b26
MD5 hash:
a47a3e467815e90a5eac024d88a81226
SHA1 hash:
13927e81a5ed1ccd7d01b6a5ee5aa14e25b3b33c
Link:
https://www.unpac.me/results/05fbc1d6-abc2-4f18-b563-afb092e759e7/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/06bc9d1d35aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06bc9d1d35aaf5936952229ee7aa9bda01c1804118dd29b28a260f241b1724a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 06bc9d1d35aaf5936952229ee7aa9bda01c1804118dd29b28a260f241b1724a8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198379/

Comments