MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c6be7aa9d02dd6545c3e18913e5a89c7cb96bfe79875c1a6c4aeea632a9c9ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c6be7aa9d02dd6545c3e18913e5a89c7cb96bfe79875c1a6c4aeea632a9c9ee
SHA3-384 hash: 94d1dace0b56155e85c0c20a9779551f48624842688f0a51fc46647614d08ae1b6dfe2367c821efa85a9a5d6fd83ea1f
SHA1 hash: ec16437abe4696eea2234ced91bc8f8ac6f61329
MD5 hash: 86494bc0ef5f71fa7364129fa22a9a8f
humanhash: august-connecticut-uranus-spring
File name:86494bc0ef5f71fa7364129fa22a9a8f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:221'323 bytes
First seen:2021-07-09 00:36:05 UTC
Last seen:2021-07-09 03:02:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 39 x VIPKeylogger)
ssdeep 3072:hDxaVzwmg4CSW8JSuQbLG5UfH+hbf+XsFzMN/SkIwx3zxLUx+u2fF5qpirjwTeeV:xMm4CCAy5Uv+5/F7ktoUD2Cbe0Sus
Threatray 6'505 similar samples on MalwareBazaar
TLSH T15524126477E2C67BE26304314D3D72EE99E9C61616308B4B47B1278DBC26183EB0B727
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
86494bc0ef5f71fa7364129fa22a9a8f
Verdict:
Malicious activity
Analysis date:
2021-07-09 00:41:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b293f74d-2f41-4ccd-8964-cf21fcd112e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170581/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.28086.1340.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bc750a7-7ae2-44bb-a6a4-de2f9939f371
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813811
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446222 Sample: RUxuwqYQMM Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Antivirus detection for dropped file 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 5 other signatures 2->38 6 vsumscogwbkjc.exe 15 2->6         started        10 RUxuwqYQMM.exe 1 19 2->10         started        12 vsumscogwbkjc.exe 15 2->12         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\kxeaw.dll, PE32 6->22 dropped 40 Writes to foreign memory regions 6->40 42 Maps a DLL or memory area into another process 6->42 14 MSBuild.exe 15 2 6->14         started        24 C:\Users\user\AppData\...\vsumscogwbkjc.exe, PE32 10->24 dropped 18 MSBuild.exe 2 10->18         started        44 Multi AV Scanner detection for dropped file 12->44 46 Machine Learning detection for dropped file 12->46 20 MSBuild.exe 2 12->20         started        signatures5 process6 dnsIp7 26 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.88.121, 443, 49749 AMAZON-AESUS United States 14->26 28 nagano-19599.herokussl.com 14->28 30 api.ipify.org 14->30 48 Tries to steal Mail credentials (via file access) 14->48 50 Tries to harvest and steal ftp login credentials 14->50 52 Tries to harvest and steal browser information (history, passwords, etc) 14->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->54 56 May check the online IP address of the machine 18->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->58 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c6be7aa9d02dd6545c3e18913e5a89c7cb96bfe79875c1a6c4aeea632a9c9ee/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 00:37:06 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2f4223fec053d607cd7a1e13602545d061fa6b1745eb59bc7962d1ee35917582
AgentTesla
7a60f0565a5e3f4310090a6519ff72571a32d30bd4f89b641ce3aaccaab30b45
AgentTesla
89e80aaeb7d157eb24c0ad0f6336d0c496e8a706eb74e987b5bd4084d5abc7cd
AgentTesla
931b74dae99d57d93b21fb72c0da9184b83e04f95e024e9a7990a6c57a73ac7e
AgentTesla
9898c37e93d4e9a054c013f34ca57c1aa9130112c9104386219f94e1125d0b97
AgentTesla
9af09f28e2254b8b942f1a81403815fdbbad3e38b5c509aed0cef2ccac413ef6
AgentTesla
a9b37a3aeb448a3c41a12ddcf5e6fdc7918593a2c5c90ccc2920ee2831556130
AgentTesla
b20b22803f7bbd0635b90f36886a89dd6be4622066f0bdbcecf1204d10b04870
AgentTesla
bc1428c41c8db13d1c0bc0b2f84c4d07e9e5ce8cf7224dc560d6bba3dba838fa
AgentTesla
ef5bbee3204de76c05424d5b000743e94acadff8a67a97d95ff3bdb3496b3190
AgentTesla
+ 6'495 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210709-1szbz5ka6j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f25a4296831407d00c53d627e52644d7fef83368ab9ca75df3e56f2140a83988
MD5 hash:
9a952b79f1ea4d739e35c7546841df8e
SHA1 hash:
575016994f6e67980095d4dcdbe0849380c29a18
Link:
https://www.unpac.me/results/b8793c88-aafe-4dfb-bb2c-463a4ab13b64/
SH256 hash:
7843398e3363be99722aad6a151ad76b6f35c8490359df42bc7ceb8ecf3f410a
MD5 hash:
9aa0362720f2aafc472a0ae2af2a8018
SHA1 hash:
387159a645f3c980c7a663d2b66bea6026fdc48b
Link:
https://www.unpac.me/results/b8793c88-aafe-4dfb-bb2c-463a4ab13b64/
SH256 hash:
560256e97b57b060fbae8b6a7f921a645985b3b57665275c8f63d58eb4ea25b3
MD5 hash:
2176967dad21c99347bbbdb32f1ceae4
SHA1 hash:
257408c49f3cd7d69a63b63037eed30d9c22ae8d
Link:
https://www.unpac.me/results/b8793c88-aafe-4dfb-bb2c-463a4ab13b64/
SH256 hash:
0c6be7aa9d02dd6545c3e18913e5a89c7cb96bfe79875c1a6c4aeea632a9c9ee
MD5 hash:
86494bc0ef5f71fa7364129fa22a9a8f
SHA1 hash:
ec16437abe4696eea2234ced91bc8f8ac6f61329
Link:
https://www.unpac.me/results/b8793c88-aafe-4dfb-bb2c-463a4ab13b64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/0c6be7aa9d02dd6545c3e18913e5a89c7cb96bfe79875c1a6c4aeea632a9c9ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0c6be7aa9d02dd6545c3e18913e5a89c7cb96bfe79875c1a6c4aeea632a9c9ee

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1437473/
Cape
Cape
https://www.capesandbox.com/analysis/170581/

Comments


Avatar
zbet commented on 2021-07-09 00:36:06 UTC

url : hxxp://lifestyledrinks.hu/wp-includes/cs2/startuppp.exe