MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 206c85493018084c42f4a2694b349475b1ac95efa91d149f61825e12a508e250. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 206c85493018084c42f4a2694b349475b1ac95efa91d149f61825e12a508e250
SHA3-384 hash: c00574bf10f806fe95b340ba09a741cc77397601863616999cde666524fec9d88eea279809b6f95cd4d32b03006898e1
SHA1 hash: 445974e9582c25b16b82b521caad6bf0e42e0bbf
MD5 hash: 601e4c2756ac7b5866e059f7bc33a029
humanhash: vermont-twenty-hamper-pizza
File name:rDEBITNOTE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:855'552 bytes
First seen:2023-05-09 11:07:32 UTC
Last seen:2023-05-13 22:56:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:28cPppgtlXGAqA1ePUYPx1mpqxPqjSoIejpXb:28xmAC/Px1qyboI
Threatray 2'631 similar samples on MalwareBazaar
TLSH T1EC05603818F97513C2B5EAB2DBC4E560FBD0899276368DDF1AD2448616EF60326CBC1D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
251
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rDEBITNOTE.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 11:08:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9991a0c3-346e-4dbf-9d54-d3929515ed9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387804/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23376.6428.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/645a2994d860ee3e1ca67163/reports/4f07b2ef-2f06-4bd7-afdd-86065b778123/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/206c85493018084c42f4a2694b349475b1ac95efa91d149f61825e12a508e250
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cd9b153-7119-439c-9060-aa59a05413cb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229112
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/206c85493018084c42f4a2694b349475b1ac95efa91d149f61825e12a508e250/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 04:04:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebwiksjqdaeeyqxuujuuwneuowy2zfppveorjh3bqjpbfjii4jia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
251ca0215e976403d529fba60bd67ca614a3e6b18a7f2420c64acbf31400ed7c
AgentTesla
7d382b07319f3666cb6072d419a7174fbb0b05727c455333e8ab7bd8ea38b65a
AgentTesla
d09abd46b7e3761fd73b421dd29f8cbd81383c8e8dd19a09d7d63f4ced66f767
AgentTesla
f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab
AgentTesla
+ 2'621 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230509-m8jmtsfe28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/e593c3b6-ab28-4c46-a89a-39d8f48577eb/
SH256 hash:
10634b9094006261061d0e65a78ac52d615d25de91a90b61b0be7606fffc19e5
MD5 hash:
d1064b861259cbdece2acd4e842b6c85
SHA1 hash:
4a826e183ea38f27f75faa5ba84135752c2c3cee
Link:
https://www.unpac.me/results/e593c3b6-ab28-4c46-a89a-39d8f48577eb/
SH256 hash:
56b28b9ebe6c05a817d53511270e1d22aadcfde827a9fcd43733a410507065a1
MD5 hash:
e6657831d9fac4e634a412ea49c0220e
SHA1 hash:
38119d748d5d28e662b3888101a0391db3780e07
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e593c3b6-ab28-4c46-a89a-39d8f48577eb/
SH256 hash:
206c85493018084c42f4a2694b349475b1ac95efa91d149f61825e12a508e250
MD5 hash:
601e4c2756ac7b5866e059f7bc33a029
SHA1 hash:
445974e9582c25b16b82b521caad6bf0e42e0bbf
Link:
https://www.unpac.me/results/e593c3b6-ab28-4c46-a89a-39d8f48577eb/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/206c85493018/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/206c85493018084c42f4a2694b349475b1ac95efa91d149f61825e12a508e250

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 206c85493018084c42f4a2694b349475b1ac95efa91d149f61825e12a508e250

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387804/

Comments