MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60da6c2f0f43cce70ed009a733d560e61812ae324051c560bdd1f9000106b3f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60da6c2f0f43cce70ed009a733d560e61812ae324051c560bdd1f9000106b3f8
SHA3-384 hash: bb33e17bd59403849b328953a0bc8017f6b7592cda55d7bd5f13492310358d641ec66cdbc938525893216511da662b10
SHA1 hash: c7a7f03b4290755bddc8ab5e3cfd5cbcf9c90d5b
MD5 hash: 1b46553b0eddc10b8dd962e3d2d060c2
humanhash: north-bacon-carpet-tango
File name:訂單T21716008.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:406'528 bytes
First seen:2021-11-09 12:31:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:kAEwcM0MYJsCsOn64G9kTcjCPX+n8Lq06+28BvkYFBS0RrsXk1d4Xv9:MwcZHeblHWTXOYq0PPBsaS0RwX8dw9
Threatray 12'539 similar samples on MalwareBazaar
TLSH T10A8423A403A1993BD4DE4336A8975E000279A54FB58BFB7E43CCD26A3D673D2D1923D2
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
询价 2021 Accell Nederland.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-09 00:38:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3e39973-f664-4446-9c78-8153326f67e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204477/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.18950.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618a6a46175442ca93a911fd/reports/b3248ee0-1190-48bf-b2f4-e25f6c98eee9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dca7d5e1-7434-40cc-ad0c-c789971ac5f9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885972
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60da6c2f0f43cce70ed009a733d560e61812ae324051c560bdd1f9000106b3f8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-09 01:04:36 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdngylypipgoodwqbgtthvla4ymbflrsibi4kyf52h4qaaigwp4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3f73be7622417491d8aec2845f0db1de3f5a3bba9052c1e5e8fa5c38f761c7c5
AgentTesla
66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28
AgentTesla
7357c095ad53d99a7ca93cda8a2c4994bbe5e7db1f7fbb6928186a3dbd0975ea
AgentTesla
7e761146417fe50b717e75ce3526dc46a22e6c416bb61ee18c23cd3a6909c5ec
AgentTesla
b30b08c58db97c9b2b9b14b6ab283996549db585c2f7625c72c2fe9bd7d8dc18
AgentTesla
babefd091cac5677f905102c15edbbdb8556e351fb24c3b1f5ee5ab59175d62f
AgentTesla
d0e7f5daadb45d6d43e608cfbce838da2740791a01e79457d4ee69514b56601c
AgentTesla
e4430ff0b0e7ec35e83d08b14372872695019ec4f9a3d985fcb6e60376d2927d
AgentTesla
+ 12'529 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211109-pql2cafbh3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
4c5ebbd2d51081faf075caa79f47c81981d82d2478c4d9bbe002223017c17760
MD5 hash:
4cf41114e0a655ee7fd11d8bb4922fb5
SHA1 hash:
780450115b307fa81b3195a3e00fc5683ffe1238
Link:
https://www.unpac.me/results/82694c13-5e89-4579-bd20-28526cb167de/
SH256 hash:
91655863c7906a8d20c7c782144f553c027843a72f2fdab2b1ccc80808083af0
MD5 hash:
b5044dd0e9c91b1a9185d491da7d07f2
SHA1 hash:
a9ff8129771d85f77b6a145f750c70e53f51125e
Link:
https://www.unpac.me/results/82694c13-5e89-4579-bd20-28526cb167de/
SH256 hash:
d52564a2c0015e3f364d3d0f0004160136e58fd0813d20ee38925e2ccc290e59
MD5 hash:
e4ac7d5917809ad9ed9ea1974676c063
SHA1 hash:
fd179125724fabca7b4064bc5f88d556fb01494c
Link:
https://www.unpac.me/results/82694c13-5e89-4579-bd20-28526cb167de/
SH256 hash:
60da6c2f0f43cce70ed009a733d560e61812ae324051c560bdd1f9000106b3f8
MD5 hash:
1b46553b0eddc10b8dd962e3d2d060c2
SHA1 hash:
c7a7f03b4290755bddc8ab5e3cfd5cbcf9c90d5b
Link:
https://www.unpac.me/results/82694c13-5e89-4579-bd20-28526cb167de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/60da6c2f0f43cce70ed009a733d560e61812ae324051c560bdd1f9000106b3f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 696af21363abdc6892fa25b8959f0ae718fb236e7efbd838a9a0931b04534e30

AgentTesla

Executable exe 60da6c2f0f43cce70ed009a733d560e61812ae324051c560bdd1f9000106b3f8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 696af21363abdc6892fa25b8959f0ae718fb236e7efbd838a9a0931b04534e30
Cape
Cape
https://www.capesandbox.com/analysis/204477/

Comments