MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5
SHA3-384 hash: e600598fb03fbf844928701a50339820c695734547cf1f2285b76196c4b5b1336524feca49e756d2251e3f07c942373f
SHA1 hash: 7baad8aa138896bf2292bf4456924283cb219c52
MD5 hash: f106f4c486c27f559eb50cc3539e759b
humanhash: zulu-mars-massachusetts-nebraska
File name:f106f4c486c27f559eb50cc3539e759b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:452'096 bytes
First seen:2021-03-31 12:52:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec18f4d9317b5556304720b9775af997 (2 x Loki, 2 x AgentTesla)
ssdeep 12288:Kbz4M7UyJ/SaZnmDmkH2tFdC8NcQYSC0cC+qD+jxgk19:KowKaZmDSvdC8NAm+lt19
Threatray 369 similar samples on MalwareBazaar
TLSH C1A40100B2D2C073E5510AB64930C6A24A37FCB25B356AC777A57F6E6A312C19B37783
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla FTP exfil server:
ftp.austrianhaus.com:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f106f4c486c27f559eb50cc3539e759b.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 12:57:35 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/5b7b94b2-ec30-4cff-9d0f-d6cb5662363e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129280/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.64054.7472.15910.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660390
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 09:39:04 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=malyaynmv2wmpkc2dty2t44ljjfuov7hwel3qjfgi3is77lhy3kq._file
Verdict:
malicious
Similar samples:
296828d37dd5732fa8bc85dd59c8032bdcbbf5aff62399ae72cabdd1989c475b
AgentTesla
76386b4c6c46b36b26d9ce00df7982d461bcd1a7586dde62cd831349d0aa3a4b
AgentTesla
8ab0599e3f141523358e5b60ef3cd9a2fb1fdbde52cb693e675a9004a25ff007
AgentTesla
abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74
AgentTesla
addfb046313926c0cfb9e4293f76c408d8e6798e129f1a1043835088c54aa69b
AgentTesla
b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d
AgentTesla
bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb
AgentTesla
becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272
AgentTesla
c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c
AgentTesla
deceb572b4fd9c2e2c964ea1a574082a7bb6cc3952ad0c2eaeabe64f20d706fe
AgentTesla
+ 359 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210331-6njbj1skh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
15961db064ea3016a241102d3436d6b3fcdaa6420eccd89b127ed93ca94a387e
MD5 hash:
31c55efc0f92945caa8f28304a7eee2c
SHA1 hash:
ded7cc31c86f3bb3495aebe4069cd3f2547cf60c
Link:
https://www.unpac.me/results/5fc1f3b9-c3e1-4211-89ee-3d295cdb9684/
SH256 hash:
ad0c1b49bed1db0c7115c9711116bd8779c5967ae66a72512bc8ba8bd08e3e1a
MD5 hash:
79e311262ed12914eb563b8f65390936
SHA1 hash:
5838643357083d408d5bb98ec72f339af71563c9
Link:
https://www.unpac.me/results/5fc1f3b9-c3e1-4211-89ee-3d295cdb9684/
SH256 hash:
f257163102c2281066e63ab18d11c14e4941da1c33b3bd5c41f969e21d18f9a5
MD5 hash:
a3b4a45222f7b3f03cac2217b1fae410
SHA1 hash:
54e29e4caa37205f7e163cea4ee39ad46aaeb56e
Link:
https://www.unpac.me/results/5fc1f3b9-c3e1-4211-89ee-3d295cdb9684/
SH256 hash:
60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5
MD5 hash:
f106f4c486c27f559eb50cc3539e759b
SHA1 hash:
7baad8aa138896bf2292bf4456924283cb219c52
Link:
https://www.unpac.me/results/5fc1f3b9-c3e1-4211-89ee-3d295cdb9684/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/129280/
  
URLhaus
https://urlhaus.abuse.ch/url/1075484/
  
Delivery method
Distributed via web download

Comments