MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495
SHA3-384 hash: 86c712909936f15f13790867586db1400c59f46784a5d552cf055545c0af92240f9a029aae88503b5c0fb7c9a69a5bbd
SHA1 hash: 582cd9ad32a6e208fba4b12513cfb92322ce962e
MD5 hash: 886186cd831b3e268f85d38a262a7b78
humanhash: pennsylvania-mobile-batman-tennessee
File name:30% SS23 Deposit.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:789'504 bytes
First seen:2022-07-15 12:25:51 UTC
Last seen:2024-07-24 15:01:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:dfjnjmnuckScbDrW5WW3R8WPudddagzUsiWh6XOfnbcaFg78MjobD9Y7coVfPah3:Jnjwnk/bvW333udddagzUsiWh6XOfnbL
Threatray 19'071 similar samples on MalwareBazaar
TLSH T115F4CFF335EB014CC845BDB5A8F06E27FA25DE36446F813EDF3E255A04EA1BA2841395
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0800e2eeece2e468 (10 x AgentTesla, 4 x NanoCore, 2 x QuasarRAT)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://37.0.8.144/sybz/inc/47da7df0355af0.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.0.8.144/sybz/inc/47da7df0355af0.php https://threatfox.abuse.ch/ioc/837980/

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
60465eac-6114-4825-b38d-c690054201de
Verdict:
Malicious activity
Analysis date:
2022-07-15 12:32:31 UTC
Tags:
trojan rat agenttesla opendir stealer
Link:
https://app.any.run/tasks/8abee57f-fffe-40ed-8cd1-f19021eb5492

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/289507/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d15cde83ba16fee5c51a5f/reports/43446110-dd9b-45f3-a36c-bdd907f9c582/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6e43b034-a104-404e-a9cd-e2b6024466b6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1032510
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 665000 Sample: 30% SS23 Deposit.exe Startdate: 15/07/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 6 other signatures 2->61 8 30% SS23 Deposit.exe 1 8 2->8         started        12 Xvggkdn.exe 2->12         started        14 excel.exe 2->14         started        16 2 other processes 2->16 process3 file4 45 C:\Users\user\AppData\Roaming\...\Xvggkdn.exe, PE32 8->45 dropped 47 C:\Users\...\Cflmdkefxnxrdpceoqvwnngdy123.exe, PE32 8->47 dropped 49 C:\Users\user\...\Xvggkdn.exe:Zone.Identifier, ASCII 8->49 dropped 51 C:\Users\user\...\30% SS23 Deposit.exe.log, ASCII 8->51 dropped 77 Encrypted powershell cmdline option found 8->77 79 Creates multiple autostart registry keys 8->79 81 Writes to foreign memory regions 8->81 93 2 other signatures 8->93 18 InstallUtil.exe 17 4 8->18         started        23 Cflmdkefxnxrdpceoqvwnngdy123.exe 4 8->23         started        25 powershell.exe 15 8->25         started        83 Antivirus detection for dropped file 12->83 85 Multi AV Scanner detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 27 powershell.exe 12->27         started        89 Document exploit detected (process start blacklist hit) 14->89 91 Injects files into Windows application 14->91 29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        signatures5 process6 dnsIp7 53 37.0.8.144, 49753, 80 WKD-ASIE Netherlands 18->53 43 C:\Users\user\AppData\Local\...\excel.exe, PE32 18->43 dropped 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->65 67 Tries to steal Mail credentials (via file / registry access) 18->67 75 6 other signatures 18->75 69 Machine Learning detection for dropped file 23->69 71 Encrypted powershell cmdline option found 23->71 73 Injects a PE file into a foreign processes 23->73 33 powershell.exe 14 23->33         started        35 Cflmdkefxnxrdpceoqvwnngdy123.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        file8 signatures9 process10 process11 41 conhost.exe 33->41         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-07-15 12:26:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mejg65hbfmprhqpqacuqxpfzdglz2xktvsfsaekao6mgul5qcskq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05dca89ce329cb875e67a787cdf2da72b726fa41e74bdaa1c42c02263b617933
AgentTesla
0b941474949e423ac573fffd588bef49af4b4e52cd7730439728e33acc7ee3d1
AgentTesla
0d0be8ecc5e7c7d3fb48665b5860aa8eb97d367f58af0de01e8bcff3861f4c52
AgentTesla
4f5057f749812cda5d588b54fa0e514a3c0acf82d2a7bc6ec4eb7074cc950683
AgentTesla
5193e7d006b375ac296ea34ab8917842faf6e0eeea196ad9319ea28d8ffcab30
AgentTesla
9a6f02f80c19a8672c61f7d38da24cada4d39dbcd850bd057eba28036c95e20d
AgentTesla
af6b1e2eb748f48a5e7b6a68301b0616a8a4e79845e17df2c9712caec453359a
AgentTesla
c7c7d3174d778b6ba5c42bc03fec75cf6dbf8a594823bc583ce3739d1598d50a
AgentTesla
c92a4ee57d56de225eb00bf5ecd01b83ab764a345f5477b3abc6e826812d8b3c
AgentTesla
cd99bf443858cc86ff01771eac6c76af45446b0082bfb9545006857ab04e3af5
AgentTesla
+ 19'061 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220715-pl66qaaeb2/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
AgentTesla
suricata: ET MALWARE AgentTesla Communicating with CnC Server
Malware Config
C2 Extraction:
http://37.0.8.144/sybz/inc/47da7df0355af0.php
Unpacked files
SH256 hash:
a998e84a03535a237def6655665f00cf6e8beed25768d9e21db8c29e7720442f
MD5 hash:
f6f6946907c92f45e90d2a57d3e0a597
SHA1 hash:
69413d9944ff7f8172285e62e817dd30a7403e2b
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
0c17eef19a8a107909e4aa614f127affb4f30e6972e438e9d1f391e4956325b0
MD5 hash:
e6095d21cedce52124416ab93e9f5fa4
SHA1 hash:
5742f2b5c2a3e18c317bb4c0da1de83a499c6264
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
0da8454d487c4b41c3e50a93ccadaf8f5db68fa7992bd307bb3216461db11c01
MD5 hash:
2a4e81136a4a35a2863cdb3f6779bbba
SHA1 hash:
ffb1789cce2cf0123eb5a31e560a316836f13460
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
e2fbb61dd022fed587e3f7c4d577ae77bc7759bfb0238a5b7a117dfb5e33dc6c
MD5 hash:
dc457cbc43004f7c684819d4095bce1a
SHA1 hash:
0e4ea8b833f8076682878065c3b19b57049f65f2
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
019b4dcd69905e2252def900fc3eb9cc609ef600db19aeb8e87ec88346108928
MD5 hash:
b60b57491ca6208115533e3981b08cc7
SHA1 hash:
b22262f67463dcf76d13ff04f3943b06bf75a74e
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
05c76525525c1cc879332a71bb2577562dd02460e5934074c022fa0a1e57f8f0
MD5 hash:
09bfa2d9755136515d89701d297d430f
SHA1 hash:
69f4cc287d0d6fff211da47ecc7a2c3e5cd77643
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
2580e349ead07690c50b7f5f768ed249fc3e1baa95b128b9b1a321eb443326b9
MD5 hash:
33a1a4ab1cc193d3aa99b665e6df17ac
SHA1 hash:
2d56b745cf339d0784f9aa1f9d714a6987a3ef26
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
444bdbfb8b9f70e191a934c0ee4e984e4a0baecd4266c60fa54e43ed9e6e20a6
MD5 hash:
0c873c8b1cc4d5bbdcc81607e963f4df
SHA1 hash:
0db37caf64e349a28e16e336933b855262f21279
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
SH256 hash:
61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495
MD5 hash:
886186cd831b3e268f85d38a262a7b78
SHA1 hash:
582cd9ad32a6e208fba4b12513cfb92322ce962e
Link:
https://www.unpac.me/results/2766339d-f778-4591-848c-7ef7613be1fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/289507/

Comments