MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60ef6cebb8be31d48b6d182a5df9597a74e0978c3bae05a43167775deba9199c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60ef6cebb8be31d48b6d182a5df9597a74e0978c3bae05a43167775deba9199c
SHA3-384 hash: 11ee3c81f6caad5ddd30a1882b746a5ac8a3d935da46fea9e68a41723466af55ef49d1bb5490687c94d0b4e14ae022c9
SHA1 hash: 5df5cecd18f8e697c568139a6243edc14262be83
MD5 hash: 8615256fecd0cd6195be707f622c6f31
humanhash: venus-georgia-robin-robin
File name:Receipt_confirmation2 IP77108 03_05_21.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:298'496 bytes
First seen:2021-05-03 06:35:20 UTC
Last seen:2021-05-03 07:01:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Ol/wMutVAUm9IbdUjhic07SfJbu5+Sq6rTpCBBGjaiG:Ol/w9V9m9Ibz7iW+rMlpGiG
Threatray 88 similar samples on MalwareBazaar
TLSH 0654E0FFBA59966DC1E8287966CA46D585D3EC61C773ADD332C8772A873303B450032A
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148251/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707169
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402504 Sample: Receipt_confirmation2 IP771... Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 48 mail.firstcredittrustbnk.com 2->48 50 firstcredittrustbnk.com 2->50 54 Found malware configuration 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Yara detected AgentTesla 2->58 60 5 other signatures 2->60 9 Receipt_confirmation2 IP77108 03_05_21.exe 18 8 2->9         started        14 MSword.exe 2->14         started        16 MSword.exe 2->16         started        signatures3 process4 dnsIp5 52 launcher.worldofwarcraft.com 137.221.106.103, 49709, 49731, 49732 BLIZZARDEU United Kingdom 9->52 40 Receipt_confirmati...P77108 03_05_21.exe, PE32 9->40 dropped 42 Receipt_confirmati...exe:Zone.Identifier, ASCII 9->42 dropped 44 Receipt_confirmati...08 03_05_21.exe.log, ASCII 9->44 dropped 46 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 9->46 dropped 68 Writes to foreign memory regions 9->68 70 Injects a PE file into a foreign processes 9->70 18 Receipt_confirmation2 IP77108 03_05_21.exe 2 5 9->18         started        22 wscript.exe 1 9->22         started        24 AdvancedRun.exe 1 9->24         started        26 3 other processes 9->26 72 Multi AV Scanner detection for dropped file 14->72 74 Machine Learning detection for dropped file 14->74 file6 signatures7 process8 file9 36 C:\Users\user\AppData\Roaming\...\MSword.exe, PE32 18->36 dropped 38 C:\Users\user\...\MSword.exe:Zone.Identifier, ASCII 18->38 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->62 64 Wscript starts Powershell (via cmd or directly) 22->64 66 Adds a directory exclusion to Windows Defender 22->66 28 powershell.exe 24 22->28         started        30 AdvancedRun.exe 24->30         started        32 AdvancedRun.exe 26->32         started        signatures10 process11 process12 34 conhost.exe 28->34         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60ef6cebb8be31d48b6d182a5df9597a74e0978c3bae05a43167775deba9199c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-03 06:36:13 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdxwz25yxyy5jc3ndavf36kzpj2obf4mhoxaljbrm53v325jdgoa._file
Verdict:
unknown
Similar samples:
37f87d9529b496054bc82c319a8908fc82f7704a7de3bc0353a6474995aa02e3
AgentTesla
59a7beab1c7583b7995b157e9e87beb6fa0785c49784bf0b9d13bd143a696541
AgentTesla
654fee180d29661e28f504f62affb32a366e1ba97b01cc8de69854e8bc032b63
AgentTesla
82426d67e219a1d9ac41d9bd9e3d4a74beb90472176320a5ace56d295ce3dd9c
AgentTesla
9f8e2f4d984a481f05c45de6fd4991d8f912166fe3ffa1d299a3719e2e7e82c1
AgentTesla
d5e1923de474408cc5f31650c36345027663f0411bef1e1ef4fa3a2d56bc5d42
AgentTesla
df3dccb8f35520888aad04bdbcba5c3c6e74ff7eac793cb65f2cf45d9be8203d
AgentTesla
ea31b5ce4282473fcb609cdc4c66649b2e79bbe96125b35954c015266f22a95c
AgentTesla
f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff
AgentTesla
fb91f67073fef8d391ccb08c31183ff2ff00e8a8ca0f71fb5bfce17fb0ddbd26
AgentTesla
+ 78 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210503-mte4mplhg6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
37618641ed3c6991734ab4f4a4904a43a356268ece0119e727912211861bcaa3
MD5 hash:
9a657b7112955ba05ca19b21955c884f
SHA1 hash:
edb58025a55e44b25b8a7a41c63ad4750dae4480
Link:
https://www.unpac.me/results/753eeec6-a0bb-47c5-abf7-2c68370f311e/
SH256 hash:
765a6f93835875182f49f4110d6db9bb258206dcac3e4a4fefaedf710ffff2d1
MD5 hash:
31a76e0b8f8f573d100d30122f6caf73
SHA1 hash:
9bd570e749e3123d92a2c0b16e50d5518f7bcd22
Link:
https://www.unpac.me/results/753eeec6-a0bb-47c5-abf7-2c68370f311e/
SH256 hash:
d4afee837ff0c808ac56dcebfe903a75e2ea0640da2cb552c91fa383ab5ee47e
MD5 hash:
cd01810c7cbfbd939a61b023daf628b7
SHA1 hash:
97aa91567bc8785ef9ab08fbd0a80c53be14c160
Link:
https://www.unpac.me/results/753eeec6-a0bb-47c5-abf7-2c68370f311e/
SH256 hash:
6f768d88ce6fe364ccc5508073c5a91500bc2e6e01556b5a6a8be534a86e3b68
MD5 hash:
8ae6a81223938d2098688978c2bd5f3d
SHA1 hash:
21a5124952e30a07252d51abaaf2cf475b22e41a
Link:
https://www.unpac.me/results/753eeec6-a0bb-47c5-abf7-2c68370f311e/
SH256 hash:
60ef6cebb8be31d48b6d182a5df9597a74e0978c3bae05a43167775deba9199c
MD5 hash:
8615256fecd0cd6195be707f622c6f31
SHA1 hash:
5df5cecd18f8e697c568139a6243edc14262be83
Link:
https://www.unpac.me/results/753eeec6-a0bb-47c5-abf7-2c68370f311e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/60ef6cebb8be31d48b6d182a5df9597a74e0978c3bae05a43167775deba9199c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148251/

Comments