MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60e8369274c3d4b5ae049be69ea47137bb9e4a23fd65fc6c0555aaffd9a2c735. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	60e8369274c3d4b5ae049be69ea47137bb9e4a23fd65fc6c0555aaffd9a2c735
SHA3-384 hash:	c8cb80357a9a9f754c5c9b84adf85ec8adbd8ca9d6030e58132d12c30dd50747ea401b51df59110b253abdb19df213a7
SHA1 hash:	8059b85600ad4061a1d4329463d9010c1465c6fe
MD5 hash:	272f0941cb343602f261375e20241fe6
humanhash:	wyoming-papa-fillet-mirror
File name:	SecuriteInfo.com.W32.AIDetectNet.01.21948.12606
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	783'360 bytes
First seen:	2022-06-01 15:38:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:n4s26SIcd1AaCR5m4rsgg+r1JZ07KmFJkvmQ+DhhWyr2EN9UOLI0rYgI5EIP+eGt:4s2z09YIfg+r1s7XkujjWy2E/UARB4RS
TLSH	T1B1F4021032AD56A8C6BE877A0075C210137D3D26FA2DDB1E3A92B48D2CF77815E167E7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

370

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.21948.12606

Verdict:

Malicious activity

Analysis date:

2022-06-01 16:04:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8b77ea43-2269-48ac-aaea-00c6557ebb23

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/276130/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.21948.12606.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/65b9cb43-168d-4f30-8084-d041c1554da9

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1005192

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/60e8369274c3d4b5ae049be69ea47137bb9e4a23fd65fc6c0555aaffd9a2c735/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-01 12:37:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mdudnetuypklllqetptj5jdrg65z4srd7vs7y3afkwvp7wncy42q._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220601-s3lswsheb5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

27c9d29f1443050dfea8e071a9df88562475bc58fcf576644c141fdcbafd33a0

MD5 hash:

3a0bb2aad380b265e6bd2e923ca2f2c4

SHA1 hash:

e0892ec6ebc927ef853470c4b4fd5a05b4851e7c

Link:

https://www.unpac.me/results/6d948991-1a8c-4bc7-9244-a86a5b36654c/

SH256 hash:

7e9f7d28e372ae718b887830995417fd0d789202f5a51b59dc3e60d0d22a3c41

MD5 hash:

dd43c2fd1ee1bea3f70cb1367565df68

SHA1 hash:

d42d08dd78047ef19894625b482f292bea63ab91

Link:

https://www.unpac.me/results/6d948991-1a8c-4bc7-9244-a86a5b36654c/

SH256 hash:

025fd34b016ccc03c7b25390c3c0478943d182fed1198311d62383475d055753

MD5 hash:

b654b004329901c99c2541222c7a49e8

SHA1 hash:

582abc36d21bdce1b63f82131ff22a7c405d983b

Link:

https://www.unpac.me/results/6d948991-1a8c-4bc7-9244-a86a5b36654c/

SH256 hash:

879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504

MD5 hash:

30b6a54a992eae921a2eb8c5ea130911

SHA1 hash:

1c83f0319bffe007077c6656418c9b7344d5affe

Link:

https://www.unpac.me/results/6d948991-1a8c-4bc7-9244-a86a5b36654c/

SH256 hash:

60e8369274c3d4b5ae049be69ea47137bb9e4a23fd65fc6c0555aaffd9a2c735

MD5 hash:

272f0941cb343602f261375e20241fe6

SHA1 hash:

8059b85600ad4061a1d4329463d9010c1465c6fe

Link:

https://www.unpac.me/results/6d948991-1a8c-4bc7-9244-a86a5b36654c/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/60e8369274c3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60e8369274c3d4b5ae049be69ea47137bb9e4a23fd65fc6c0555aaffd9a2c735

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276130/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample