MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178
SHA3-384 hash:	96980762cbd35ca754eb889c62bde322d3cabb06453de20d3c7c765493f60fea40e5c390f8fbb5d89b2d0162df52fe86
SHA1 hash:	37a2a91c93a0f9c1d90476e3cbf52155bb154d65
MD5 hash:	761a8f1a031798a2912a2fc2ccd33ea3
humanhash:	tennis-oven-neptune-october
File name:	27.6.2023 bbq 9w 300pc.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	671'232 bytes
First seen:	2023-06-30 07:16:53 UTC
Last seen:	2023-06-30 07:17:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Scxb3RhVajstYyf4b8sTBeOMn821E3z/7J:dbLAwtQAs1FMvo
Threatray	181 similar samples on MalwareBazaar
TLSH	T17EE47A3C18BD2A37C134DAB98FE5C463F554D53B3922AA3264C797A44746EA325C323E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

27.6.2023 bbq 9w 300pc.exe

Verdict:

Malicious activity

Analysis date:

2023-06-30 07:32:57 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/2b7570a7-01ec-4811-906e-5415f2bae80e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/403956/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67810769.7087.410.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Launching a process

Restart of the analyzed sample

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/649e81701a035eeff9b38b12/reports/ba051231-458d-49d1-aed4-35ba3481fc36/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/44d9dd95-f608-4cdc-af1e-9f98fa9f1a5b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1263770

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-06-27 14:52:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 37 (62.16%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mextv3fthxydumhsykqjzzarmdmqui4izoxxl4pu4p5s5yqy4f4a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

397046da411436841b9eee2f3edc21f72ba89f0165a29e1fef0cafa6755fcdb0

AgentTesla

3cd8941da73295f75980a8c38d92902b378614aabddfb395121cbc1724abce22

AgentTesla

6e4b2204ab34ef1534d3c80e379e200f37a05e04ed2856d2df2f5983e9351ce6

AgentTesla

7acc949f4e01f5ee720f2821349e3a0dcf05a7ac15470a8d7f6ff9aef1d00d2e

AgentTesla

7e7f1d18321207cbaabea3f8c316d13c13dbfae51a52a42c5a9d3c5478f75454

AgentTesla

87f7348a8731af0346cfcc709488d0831a95236f554d2f8a50e12eea1ceb6764

AgentTesla

d699b78d72ce231d7135f8cdfaacc074fda40d644cb7c0f089987cd502bea3f0

AgentTesla

+ 171 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230630-h4c72agd74/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

abe7d211e080f1dfaef4dd585e5677fb86e4a4f42959cee0d96306077c6c8aa1

MD5 hash:

bf3d973ba06d98fca768442a8e271c2a

SHA1 hash:

935cbb72ea887f8529881f1a23aee8fe7f91ef64

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795

MD5 hash:

12b0878e8abca3141f8fc111172cbfe1

SHA1 hash:

8703c0f114bb7cd0298caa4d5fd28cf98c370791

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

Parent samples :

0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178

SH256 hash:

2533d367f9ac30872666f71c6c786ddf9c1a60e24e07dfbc015d1640c5882743

MD5 hash:

8f43f2be0d3afe4c94a76594f04a9735

SHA1 hash:

6ab89fc9c930c99412593c7237baccc90f8c4c5b

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

abe7d211e080f1dfaef4dd585e5677fb86e4a4f42959cee0d96306077c6c8aa1

MD5 hash:

bf3d973ba06d98fca768442a8e271c2a

SHA1 hash:

935cbb72ea887f8529881f1a23aee8fe7f91ef64

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

abe7d211e080f1dfaef4dd585e5677fb86e4a4f42959cee0d96306077c6c8aa1

MD5 hash:

bf3d973ba06d98fca768442a8e271c2a

SHA1 hash:

935cbb72ea887f8529881f1a23aee8fe7f91ef64

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795

MD5 hash:

12b0878e8abca3141f8fc111172cbfe1

SHA1 hash:

8703c0f114bb7cd0298caa4d5fd28cf98c370791

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

Parent samples :

0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178

SH256 hash:

abe7d211e080f1dfaef4dd585e5677fb86e4a4f42959cee0d96306077c6c8aa1

MD5 hash:

bf3d973ba06d98fca768442a8e271c2a

SHA1 hash:

935cbb72ea887f8529881f1a23aee8fe7f91ef64

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

2533d367f9ac30872666f71c6c786ddf9c1a60e24e07dfbc015d1640c5882743

MD5 hash:

8f43f2be0d3afe4c94a76594f04a9735

SHA1 hash:

6ab89fc9c930c99412593c7237baccc90f8c4c5b

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795

MD5 hash:

12b0878e8abca3141f8fc111172cbfe1

SHA1 hash:

8703c0f114bb7cd0298caa4d5fd28cf98c370791

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

Parent samples :

0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178

SH256 hash:

2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795

MD5 hash:

12b0878e8abca3141f8fc111172cbfe1

SHA1 hash:

8703c0f114bb7cd0298caa4d5fd28cf98c370791

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

Parent samples :

0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178

SH256 hash:

2533d367f9ac30872666f71c6c786ddf9c1a60e24e07dfbc015d1640c5882743

MD5 hash:

8f43f2be0d3afe4c94a76594f04a9735

SHA1 hash:

6ab89fc9c930c99412593c7237baccc90f8c4c5b

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

2533d367f9ac30872666f71c6c786ddf9c1a60e24e07dfbc015d1640c5882743

MD5 hash:

8f43f2be0d3afe4c94a76594f04a9735

SHA1 hash:

6ab89fc9c930c99412593c7237baccc90f8c4c5b

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

SH256 hash:

612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178

MD5 hash:

761a8f1a031798a2912a2fc2ccd33ea3

SHA1 hash:

37a2a91c93a0f9c1d90476e3cbf52155bb154d65

Link:

https://www.unpac.me/results/fd5c55bd-7d25-40a5-beee-1d49d732075e/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/612f3aecb33d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/403956/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample