MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d
SHA3-384 hash: 028c8dd95b533a3392add2ca202e80d3a3eacbf5521ebcae923526ac79516773a4d8ebd0d4915f0be61c5579f2f954a7
SHA1 hash: f8258bb124a6f804506b131c7d57a31a2f078eb0
MD5 hash: ebc8ec9a0aeb1691f44ea48a4a5c927b
humanhash: maine-uncle-johnny-king
File name:RFQ-06062024.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:806'912 bytes
First seen:2024-06-06 15:27:11 UTC
Last seen:2024-06-06 16:21:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:SU7C3c6FC0vNxeJYQ7MDhY+QSiqCgtY+VTvC:SQ8GJYZYVSi5gtY+VTv
Threatray 5 similar samples on MalwareBazaar
TLSH T13105022672684F86D62543FEE660A2506F30706F6032EBD07DC561EF5E76B0406AEB1F
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 64e4a4a4e4e464a4 (10 x AgentTesla, 8 x Formbook, 1 x Rhadamanthys)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d.exe
Verdict:
Malicious activity
Analysis date:
2024-06-06 16:40:06 UTC
Tags:
smtp exfiltration stealer agenttesla
Link:
https://app.any.run/tasks/1b23f94d-a139-44fd-ba39-a20e7623e1d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2511.4972.11287.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6661d589ef9fdf64aa6876b7/reports/79617067-942d-4de6-bdd6-0740c40411e0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/143ce2ce-355a-463b-92f3-e368876711d0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1453241
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1453241 Sample: RFQ-06062024.exe Startdate: 06/06/2024 Architecture: WINDOWS Score: 100 48 mail.toyotasialkot.com 2->48 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 11 other signatures 2->58 8 RFQ-06062024.exe 7 2->8         started        12 HAiyhtG.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\HAiyhtG.exe, PE32 8->40 dropped 42 C:\Users\user\...\HAiyhtG.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp34A4.tmp, XML 8->44 dropped 46 C:\Users\user\...\RFQ-06062024.exe.log, ASCII 8->46 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 RFQ-06062024.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        28 3 other processes 8->28 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 70 Injects a PE file into a foreign processes 12->70 22 HAiyhtG.exe 12->22         started        24 schtasks.exe 12->24         started        26 HAiyhtG.exe 12->26         started        signatures6 process7 dnsIp8 50 mail.toyotasialkot.com 158.69.103.250, 49709, 49712, 587 OVHFR Canada 14->50 72 Loading BitLocker PowerShell Module 18->72 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->74 76 Tries to steal Mail credentials (via file / registry access) 22->76 78 Tries to harvest and steal ftp login credentials 22->78 80 Tries to harvest and steal browser information (history, passwords, etc) 22->80 36 conhost.exe 24->36         started        38 conhost.exe 28->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-06-06 03:34:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mejkrejpid4v37vpuebcwle6rytbsxulg3qgcnwakldgq66zqfwq._file
Verdict:
unknown
Similar samples:
1f7dcd5994d22e9acfb0313d58b4227abcd33966ae38863d91fbed5a0cd7b415
AgentTesla
970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683
AgentTesla
d5a64294b4a47e260bf84a9819474e15fa6ffe9ee515a5db68967fd2837f9f1d
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240606-sxnqasgh85/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Unpacked files
SH256 hash:
55e49224d472a8a0abffb1299bfa8d241d6318210ea1d16b326bd8bce5e48fb6
MD5 hash:
d16fb18e6dde15248eb68598065137cd
SHA1 hash:
e688bbe327969ce750ccbac0bfc45656c657d8ef
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/66ae21b3-2c2b-487a-9c36-fe19d726d43a/
Parent samples :
6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d
094267690920de1d9aa379b972daa9de0a8abb2d599119e96d4a3031d033f317
9d7b5a17c707bea5a817fafa46b0efa68f1ec66588f952dab4ba8610c9a66e6f
SH256 hash:
1a1de9f3fe4c3a7ea7cd547cdd9d78b3873d6e243e544e5bb647452d6d9f6cfe
MD5 hash:
ceb52a5c98659e8905ea76737fe00c01
SHA1 hash:
bb7b30ff84d6aa26eaa0021c9fa3cd2c5a08e694
Link:
https://www.unpac.me/results/66ae21b3-2c2b-487a-9c36-fe19d726d43a/
SH256 hash:
7aed5c5a6e56c54214cf9c2c178d10c652f16901b84a561496ca698649d46eaf
MD5 hash:
570152e0a39bfa74f596983373255435
SHA1 hash:
733489b9b84c60cbf4acb7bdb99a678e1b320e3e
Link:
https://www.unpac.me/results/66ae21b3-2c2b-487a-9c36-fe19d726d43a/
SH256 hash:
e9319f360d8400e7dd18207e0731d4222b7b88f6aece7641cb960a033dfbe043
MD5 hash:
90af36207084292ebceaf0aa6a1586f7
SHA1 hash:
2583769c47d4203a8263aefeeb72b7194e272d5e
Link:
https://www.unpac.me/results/66ae21b3-2c2b-487a-9c36-fe19d726d43a/
SH256 hash:
6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d
MD5 hash:
ebc8ec9a0aeb1691f44ea48a4a5c927b
SHA1 hash:
f8258bb124a6f804506b131c7d57a31a2f078eb0
Link:
https://www.unpac.me/results/66ae21b3-2c2b-487a-9c36-fe19d726d43a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6112a8912f40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6112a8912f40f95dfeafa1022b2c9e8e26195e8b36e06136c052c6687bd9816d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments