MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c6a73b0b33c6066230a29068a36779bc1c4ecfc98ffdd5c49ce5abe406a60f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTsla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c6a73b0b33c6066230a29068a36779bc1c4ecfc98ffdd5c49ce5abe406a60f2
SHA3-384 hash: a8d49edee833cb0cb9c3f7a4218ad989056c04053903ba5660d0ac1473d24a27e4e65b1d85fb96d9901db36020e34999
SHA1 hash: a428c0b13551d04bae95045bef785f6abcba0991
MD5 hash: bd31ef9e872afd9fc86a7a7b12312606
humanhash: connecticut-green-whiskey-tennessee
File name:Quote N city 6oct Modification...exe
Download: download sample
Signature AgentTsla
Create hunting rule
File size:507'912 bytes
First seen:2020-09-22 16:07:12 UTC
Last seen:2020-09-22 16:45:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:FurVvGt4mbGJgoZZcX9ET6Rpzls7dV4nWJo6o7KTlicUHg+YKtO:FdtdggcsUupzls7nYmo7U3UHG6O
Threatray 110 similar samples on MalwareBazaar
TLSH 65B42AA22D42D87DCA5AC379496280C0FA366EC636934A0DF05B721C0E36AD79F7D54F
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/64449/
Detection(s):
PUA.Win.Trojan.Generic-6629273-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/472574
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the document folder of the user
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c6a73b0b33c6066230a29068a36779bc1c4ecfc98ffdd5c49ce5abe406a60f2/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-22 16:06:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0
AgentTsla
0e7ba6c8acc0e3de5a31e050eb287daba683c992e12c4715730ef3ccf3bbf575
AgentTsla
4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984
AgentTsla
80f341333728513fea45dc07c8582e5a8c3ac630de39b53ef23d1742ddc0f5d2
AgentTsla
84e0b5e6daeb11cdca531a22315506ee74a14bd6b0ae9c563fde694aa955867a
AgentTsla
8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2
AgentTsla
99afa20e22dac4e8fd5f536c3fd6c806fa6a9f52a0458c0c1a90fdc3e8a1f3f8
AgentTsla
b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049
AgentTsla
fe13b5826a85afc204c9be0a3c8da5fb28844c5d7829413d23dd7e4229400bf4
AgentTsla
fe4f9a7b5da072d7af80c2d4d91e47888e0420e7c5ee8fd8c051d44283ac0c41
AgentTsla
+ 100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200922-5cvvm6m8qn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c6a73b0b33c6066230a29068a36779bc1c4ecfc98ffdd5c49ce5abe406a60f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/64449/

Comments