MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60500347dcd01ce976f1edc949b4f5e1f7f52f4c553c34bfda79e16bfadd4a6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60500347dcd01ce976f1edc949b4f5e1f7f52f4c553c34bfda79e16bfadd4a6e
SHA3-384 hash: 80e5266e99e086b9b75185a47e02ba366bd4aabdf121d3d756eb78cf812b730f55cc8198f2ff9e3ab6519c822907fce8
SHA1 hash: 114cb78773593e1f7f4440e75da30894d6d9c76a
MD5 hash: 137c853f9dedbf756b75d77b204ba2d4
humanhash: mississippi-florida-march-colorado
File name:SecuriteInfo.com.Trojan.PackedNET.1625.20507.23531
Download: download sample
Signature AgentTesla
Create hunting rule
File size:877'568 bytes
First seen:2022-10-17 12:22:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:hs/0f8BybvMxrDBD5HPQJc5FXPOgMOEdbdtgtQ:Vf8B/x/HI25lPOgMfbU
Threatray 20'717 similar samples on MalwareBazaar
TLSH T193156BB611D69617E425327588C3D2F32AFBAD607061D1C39AD76F2FBC440BB961338A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320964/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1625.20507.23531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634d4927b5f60e72b8c701d2/reports/740fd4b1-56d6-40d6-8a40-5f5a3bbac445/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ac90ef5-4400-4d73-8dbd-9b0b3d4b019b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091891
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 724522 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 6 other signatures 2->59 7 SecuriteInfo.com.Trojan.PackedNET.1625.20507.23531.exe 7 2->7         started        11 HrDJdppdqkxLBb.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\HrDJdppdqkxLBb.exe, PE32 7->35 dropped 37 C:\...\HrDJdppdqkxLBb.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpDD69.tmp, XML 7->39 dropped 41 SecuriteInfo.com.T...20507.23531.exe.log, ASCII 7->41 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 May check the online IP address of the machine 7->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->65 71 2 other signatures 7->71 13 SecuriteInfo.com.Trojan.PackedNET.1625.20507.23531.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 19 7->19         started        21 schtasks.exe 1 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 23 HrDJdppdqkxLBb.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 smtp-msa.hostinger.com 34.117.234.7, 49701, 49703, 587 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->43 45 api.ipify.org.herokudns.com 54.91.59.199, 443, 49700, 49702 AMAZON-AESUS United States 13->45 51 2 other IPs or domains 13->51 73 Installs a global keyboard hook 13->73 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        47 smtp.hostinger.com 23->47 49 api.ipify.org 23->49 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->75 77 Tries to steal Mail credentials (via file / registry access) 23->77 79 Tries to harvest and steal ftp login credentials 23->79 81 Tries to harvest and steal browser information (history, passwords, etc) 23->81 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60500347dcd01ce976f1edc949b4f5e1f7f52f4c553c34bfda79e16bfadd4a6e/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 09:06:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbiagr642aoos5xr5xeutnhv4h37kl2mku6djp62phqwx6w5jjxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
47bb0dc5d95f73d7dc66bfd26a7adc9433498afd2a6c63b3b14a67cf0fdd106b
AgentTesla
49adec13776b1d5c1a583a7ecfc3dca07898f060ba46010cdabd2923348d0ed0
AgentTesla
5e3e727709eadb8dcd9737154bee61d39431485042865f1b0b69887c9c75905f
AgentTesla
7813dfab45495b61483bf8b3ed97661dfadad39e080745a5c5fc841841a5602d
AgentTesla
9bed52e49ae24af6a16d581ffb93d3e8d7b62533844d3a30de1ac01b2f865792
AgentTesla
ab828ebbb7925536f94b2fe3f34100bdc8326589deb88e90dd3490893495f19c
AgentTesla
c12780831455d11678c4f38afa6c20585685c2ba8ada4c0d806b774ea16f4301
AgentTesla
daca523d37b251d259d535362a6aaf8be46a63f54f22fa09f8039e79f2eb5c44
AgentTesla
fcd6c2c05b23d2aa2cc97ca9b5afc016d7c20581548b13e5c89a5a123f7b735a
AgentTesla
+ 20'707 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221017-pkf8xabhgq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/0157528d-4bbd-439b-8ff1-584a4c7f4ceb/
SH256 hash:
54b5f7aebd3e1bdffac0f150e60cefd9be728e382d9ad6464781e899f5d04fc2
MD5 hash:
9f639fe4464c57b174dfdc89a3a8bf90
SHA1 hash:
98588fd396f3d6e58324b88a94b38af0e330b52f
Link:
https://www.unpac.me/results/0157528d-4bbd-439b-8ff1-584a4c7f4ceb/
SH256 hash:
0c7682bfb1e2a74326b6392106594fc75b33b99bc55523b77547470a0027a26f
MD5 hash:
8467124d6814de1375314a8522d4d10c
SHA1 hash:
624e892a6e812e2fa88d5763767375c5f491b372
Link:
https://www.unpac.me/results/0157528d-4bbd-439b-8ff1-584a4c7f4ceb/
SH256 hash:
f2ec9b006f54b2d6336320d7c451a67f6a98c760155f173e6ed2543be9a51923
MD5 hash:
f5723f5d3f072a347b7d8da56750116f
SHA1 hash:
1da9ff7e78b63fa177ec314c35bf0209e832bdad
Link:
https://www.unpac.me/results/0157528d-4bbd-439b-8ff1-584a4c7f4ceb/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/0157528d-4bbd-439b-8ff1-584a4c7f4ceb/
SH256 hash:
60500347dcd01ce976f1edc949b4f5e1f7f52f4c553c34bfda79e16bfadd4a6e
MD5 hash:
137c853f9dedbf756b75d77b204ba2d4
SHA1 hash:
114cb78773593e1f7f4440e75da30894d6d9c76a
Link:
https://www.unpac.me/results/0157528d-4bbd-439b-8ff1-584a4c7f4ceb/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60500347dcd0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60500347dcd01ce976f1edc949b4f5e1f7f52f4c553c34bfda79e16bfadd4a6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/320964/

Comments