MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61be09959d978be406f292ebcd1e846a3506961d5aad498758079041a7adb418. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61be09959d978be406f292ebcd1e846a3506961d5aad498758079041a7adb418
SHA3-384 hash: 44f74aadceecd07f4dbb225c759cc2f5bba2ea8873483a257a1e0261d0c418068ea5a85173a642dd8f47dab934baeb9b
SHA1 hash: aa36ec52baac06bb553e8af80f8d0db0afecc87e
MD5 hash: c226d36e970fca2bb90984d2c2c694c4
humanhash: chicken-pizza-maine-cola
File name:shipping docs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:641'024 bytes
First seen:2022-08-15 03:39:20 UTC
Last seen:2022-08-15 04:29:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+gM2Tg5GiUOyCicxQyiF3r1YjzWIFLDyv32Pcew1Ln8ByVN8Qyx:ng5WOicWb3r10Q
Threatray 19'701 similar samples on MalwareBazaar
TLSH T1A1D4E59D3554718ECC23F531DD9B2CA4AA91AC662F0BB15F5023325A9A3C59FCF0C9B2
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
shipping docs.exe
Verdict:
Malicious activity
Analysis date:
2022-08-15 03:39:59 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/7fc18bf5-e3b1-4d14-848f-3e2bbb8f05fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298538/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.7016.5708.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62f9bffa810e2831b74a4182/reports/b16ae22c-342c-438f-a7d3-532cbab50a4b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a43a6c8-cdff-49b1-8e43-0c9d6057e443
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051291
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 683801 Sample: shipping docs.exe Startdate: 15/08/2022 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 13 other signatures 2->62 7 BkxIwM.exe 5 2->7         started        10 shipping docs.exe 6 2->10         started        13 BkxIwM.exe 2 2->13         started        process3 file4 64 Multi AV Scanner detection for dropped file 7->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->66 68 Machine Learning detection for dropped file 7->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->70 15 BkxIwM.exe 2 7->15         started        19 schtasks.exe 1 7->19         started        21 BkxIwM.exe 7->21         started        36 C:\Users\user\AppData\...\IkYQXVZlpn.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp8B92.tmp, XML 10->38 dropped 40 C:\Users\user\...\shipping docs.exe.log, ASCII 10->40 dropped 72 Injects a PE file into a foreign processes 10->72 23 shipping docs.exe 17 5 10->23         started        26 schtasks.exe 1 10->26         started        signatures5 process6 dnsIp7 46 Tries to harvest and steal ftp login credentials 15->46 48 Tries to harvest and steal browser information (history, passwords, etc) 15->48 28 conhost.exe 19->28         started        42 api.telegram.org 149.154.167.220, 443, 49745, 49759 TELEGRAMRU United Kingdom 23->42 44 192.168.2.1 unknown unknown 23->44 32 C:\Users\user\AppData\Roaming\...\BkxIwM.exe, PE32 23->32 dropped 34 C:\Users\user\...\BkxIwM.exe:Zone.Identifier, ASCII 23->34 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->50 52 Tries to steal Mail credentials (via file / registry access) 23->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->54 30 conhost.exe 26->30         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61be09959d978be406f292ebcd1e846a3506961d5aad498758079041a7adb418/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-15 02:48:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mg7atfm5s6f6ibxsslv42hueni2qnfq5lkwutb2ya6iedj5nwqma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90
AgentTesla
291ddd3ed10197399b9d1002f0f7aaddc6c930939a06e403b86e6db8e56da122
AgentTesla
4aef951698cca692c50dce6fa767cb599ef9295d342b63a683a9b74229f878b0
AgentTesla
7ea7f489de6d01c09f1fe0fb1df6f05541c2d6e4ae01010c4f22981f7eb613e7
AgentTesla
81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2
AgentTesla
9b97e64d40e81141d4cdae8e350c4d8b43addef9dfea1392fae691402d7bb94b
AgentTesla
a9b46ddb3ed98e2ca5e71253a69f686e1f618f724821eb98b52b812844117f33
AgentTesla
d4db905520ea924c1198d7e374df7b637565d08f2fcdf3e52eda7716b727d38d
AgentTesla
e2a9e0c11faa8069f29ba0d4d3d8dc4824031548f7c01fc008121d111a94c365
AgentTesla
+ 19'691 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220815-d77tladhbj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5386855759:AAEl2-GkOAoImBPtsv5CaQujyh01bpxVfR8/sendDocument
Unpacked files
SH256 hash:
5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6
MD5 hash:
01800f6b045def8d90c649842f56d752
SHA1 hash:
f8434a4636d0772d01aac44bb3f9753a41f01d34
Link:
https://www.unpac.me/results/80ba0f6b-bb6c-4e25-8323-e8159b844220/
SH256 hash:
ebb3f7b6d9cc6d48f4e3c7fc4a6f4b31f9ca0dedc1dacd4b198eaf7e97cf07ee
MD5 hash:
6742be072c02dc86f70258947a3a4450
SHA1 hash:
e577adb14dc60aed3193eb30cd8c1f0799d3f07b
Link:
https://www.unpac.me/results/80ba0f6b-bb6c-4e25-8323-e8159b844220/
SH256 hash:
a08db37952684e0aa7e3970d1bea10748ab693efd391220889428131f25b35a3
MD5 hash:
f4fc95de3ed682b928491ad79b73766d
SHA1 hash:
4946bd16dd8da636c919d2f2209c0c3b391b9c61
Link:
https://www.unpac.me/results/80ba0f6b-bb6c-4e25-8323-e8159b844220/
SH256 hash:
61be09959d978be406f292ebcd1e846a3506961d5aad498758079041a7adb418
MD5 hash:
c226d36e970fca2bb90984d2c2c694c4
SHA1 hash:
aa36ec52baac06bb553e8af80f8d0db0afecc87e
Link:
https://www.unpac.me/results/80ba0f6b-bb6c-4e25-8323-e8159b844220/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61be09959d97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/61be09959d978be406f292ebcd1e846a3506961d5aad498758079041a7adb418

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 61be09959d978be406f292ebcd1e846a3506961d5aad498758079041a7adb418

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/298538/

Comments