MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c
SHA3-384 hash: dc04b62eb0a1aada20ae5dbd304e221c1d349d0f034aa156da46e1fa9c73becc785761c755542707acacb6952c742b2b
SHA1 hash: 8a7721eea2905bb611dc708cd39ad6ac95f19216
MD5 hash: d9eee157ae1c8f1df8defe43f0266b96
humanhash: zulu-florida-oxygen-fanta
File name:obizx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:714'752 bytes
First seen:2023-11-28 14:06:01 UTC
Last seen:2023-11-28 15:18:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:P427aacY5J3gdH10Fwosa5qu40xBgPYOuE2AVWzFNRDjWs1QmbCpk:P42B3gdtoD4XdudMWQu
Threatray 3'179 similar samples on MalwareBazaar
TLSH T161E4129837ACDF53E23A93F696B1201103F9241AB5A2D6785EC661DF9866F000F94F1F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SCAN-93526.doc.tgz
Verdict:
Malicious activity
Analysis date:
2023-11-28 13:29:50 UTC
Tags:
exploit cve-2017-11882 loader agenttesla stealer
Link:
https://app.any.run/tasks/bf65299f-69be-419a-99e3-f9c695bf976c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/460951/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.16536.28887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6565f3ce2efa450749abd30e/reports/4c04534e-17c2-4cb7-8148-9dbb1299646e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cb57ad5-b6e1-40f4-b48b-9bacefa29da7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349292
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 09:51:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mcaj5dlhiwi37vt5svcjgdwdn26x6d5oulf547sitdzaw3kzyooa._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
Similar samples:
3727dbb8d08291962eb02e9b76df93a7dcb3f15751ecef1a80c511225a07d0c0
AgentTesla
3bff4f95cc537a4ad075931d288e21a0640a1764a29a40f0b3ea0d89f54635a9
AgentTesla
4343245f1db76214093c4adefb0b167327c7bd49fa66608eccb2c4faadc3e32d
AgentTesla
48ef496367a300605f93d8d5f650a7a9a9e333c6acae2770efd78181bdd293aa
AgentTesla
4a699a693c63228aebd3e0bc98d92fe2d8bb7ae487992e81cfee767f0b9ed1bf
AgentTesla
60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c
AgentTesla
7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
AgentTesla
89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc
AgentTesla
8bc2d2a8e99fdf12dabed46d100d94d357e064f307718087591e9858c840a1c3
AgentTesla
f566666ec884f4fb52f5167294dfce5402e8bb78ed4cd242985492312eaa4a66
AgentTesla
+ 3'169 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231128-redlyaad37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
07d825bc093dd6a09fa8d34b297844701bb80aba537ff9cc314851fb66ec17aa
MD5 hash:
b59776703fbabbd788321e0366753392
SHA1 hash:
fc4964463ed04a7d20164985bbf7da942c323cd3
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_bytecodes_sep_2023
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
Link:
https://www.unpac.me/results/69d7be0e-340e-4610-8a23-d57ca0b0d00e/
SH256 hash:
9b4782435f360ecc5faeb31e402c8ec44057a57b28073419aa8379a3c33c2c93
MD5 hash:
ccd0bcc6cc01923e5ddf4ba72fc8fa12
SHA1 hash:
f2d4bd262aa5a6e2cf439488c1cae3968ab8d34a
Link:
https://www.unpac.me/results/69d7be0e-340e-4610-8a23-d57ca0b0d00e/
SH256 hash:
68b2b3e82a9e5b4b28f9eb0ddf7418ecb78248534ad012f83e43cc23295a37fe
MD5 hash:
18ef89f20e57dd404efa6df65173b56c
SHA1 hash:
beaa0cb41d8ec851601ca33fed3545db774868fa
Link:
https://www.unpac.me/results/69d7be0e-340e-4610-8a23-d57ca0b0d00e/
SH256 hash:
f5a8f5ded618fd3989fa98a3c2d87c4853d6e10ecb1313cd5ddd7df375336b31
MD5 hash:
243f9990bb7d68a3f6e4d3999800da5b
SHA1 hash:
ba555175d12f19f6288a3574738bcd6c8b747e3b
Link:
https://www.unpac.me/results/69d7be0e-340e-4610-8a23-d57ca0b0d00e/
SH256 hash:
60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c
MD5 hash:
d9eee157ae1c8f1df8defe43f0266b96
SHA1 hash:
8a7721eea2905bb611dc708cd39ad6ac95f19216
Link:
https://www.unpac.me/results/69d7be0e-340e-4610-8a23-d57ca0b0d00e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60809e8d6745/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV4
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 60809e8d674591bfd67d9544930ec36ebd7f0faea2cbde7e4898f20b6d59c39c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2728715/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/460951/

Comments