MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e
SHA3-384 hash:	98e2e67d565967b6b68fc171a11feb8b16e5fe1f7bda901e768ab9055234d3a6ffebfe1726021dfe46ef85525844bb12
SHA1 hash:	42243d2d6cf54f11021262cf46346088d33e602b
MD5 hash:	15ff9955368f9c4b2e5042bcccf84331
humanhash:	lemon-green-ceiling-freddie
File name:	QiHu2b7HMHafiPp.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'044'992 bytes
First seen:	2023-06-07 11:48:09 UTC
Last seen:	2023-06-07 11:50:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:ryr5/47m5E+8sFDi0HSLwQ12g0Wli4xj:ryr5/4sFjSR2g0WM4xj
Threatray	4'906 similar samples on MalwareBazaar
TLSH	T1C425021477FE4F1AD8796FF80910513483F6662A247BE2195EC369EF6DA0FC04E80A67
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QiHu2b7HMHafiPp.exe

Verdict:

Malicious activity

Analysis date:

2023-06-07 11:49:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/434c6bf5-0285-44ed-9a93-5db5c9f05a1b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/396381/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33864352.8409.19711.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/64806eaf82df37afde48fb03/reports/07642e15-fb0a-4de8-b96f-836c9a84af06/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e059c1ba-e0ab-4f53-86e2-cef4006519e7

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1250244

Signature

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-06-01 17:35:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 37 (70.27%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mhdvydktehnsthsyx6izqyhjv6seohsos7o52ah222twdtoquypa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

6076d3956e79dc8752564da23a3dfa0100509b647128e82552bd234e5fa61ae8

AgentTesla

9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901

AgentTesla

95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

AgentTesla

9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51

AgentTesla

a558acd6978677d1f7ea7e1a18f675d7a49b0c3216633b2aac042abc2d0a54af

AgentTesla

add5620949d2784c56b3fbd811a417a72318dca2f8eda9fbe2757c60f272040d

AgentTesla

c7b3ec3ac46bb0ccc41cde29a371ed3c84aff73d70ddd668f2c5bcb5ba3b2819

AgentTesla

e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4

AgentTesla

+ 4'896 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230607-ny1c9shh33/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

3214ce6d699782a1bfcca1a5f01137de8c7d5c377d7a4208775f2ed8c2478304

MD5 hash:

bcee068cbec8334f277bcfe996548f6b

SHA1 hash:

f3d28a05ff6a88269df288ccc4a174822947a750

Link:

https://www.unpac.me/results/4efbeaba-45d0-4daa-95af-59f5855987fc/

Parent samples :

1a30bc0d430f010b44ea3768053a0889efab84eb1b5b199153b487633733de78
9e19816e28ea81520a46e89d85f46e573f4feed5eb0eef8537c36b1120bed32f

SH256 hash:

c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d

MD5 hash:

9390df6c9a6111978dee5414bc42eda6

SHA1 hash:

d3cb1c366b9e466afa93eb369838a04d30777795

Link:

https://www.unpac.me/results/4efbeaba-45d0-4daa-95af-59f5855987fc/

SH256 hash:

5e2ae23b1d55bc3bca71b90bfb928214dbd2e5f6179525a13a6bec21bfeeec6a

MD5 hash:

9cb708eae788326e32117c14ee8bee45

SHA1 hash:

9ca155055ba4f360190f4097f57ce23792f13b47

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/4efbeaba-45d0-4daa-95af-59f5855987fc/

Parent samples :

add5620949d2784c56b3fbd811a417a72318dca2f8eda9fbe2757c60f272040d
61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e
50ac458169dd382176f04c26b8538ce829c903bf60cc2fa5ca7681feba1a7a98
aebd9abedf05d17f9fd3c7e3f5d35401ab52148f00b81e067f4688f84ed659f7
466152ce57063783bc73fe86736ecebcd168335df5212c71f6a15cab3cc2b5ab
1b9a2dc6ca050349b9b0f180706742b64e734eb334c02afd87d7108eff1d4ec8
b72c1734f74d8174d1feb0775148c56903fa6edd409d1598cccff025f30d6cc5
885a126d8abff2e4d272e8df02fb03d836ba078053dc55257860780b0b4b05fa
0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459
339ae2cba0f3ce8bf4b3098daf78d5e4bfadeeae26762c697bdb63788927ee77
2af3e1758223c0432696bf2252d89659db6ea920b1c926fba92b3d327a4a7703

SH256 hash:

481e19deaf7d68ac87759d052cd9b009d72e3a6ee3dfce77e8d354b141c5aea1

MD5 hash:

396e766aa8d7b09fdf792a0fddf2a819

SHA1 hash:

75aee55fca2f4fb1a06b88479901b71852d88040

Link:

https://www.unpac.me/results/4efbeaba-45d0-4daa-95af-59f5855987fc/

SH256 hash:

c31ca5d22bdb3c05f976bdf659dd9e06b8e948af4e8e9c5358e2c36e962eb663

MD5 hash:

a969b167ce69602b8e7349660eeb6c8a

SHA1 hash:

3411294d80c3dddc0a3938a5de4da4120511503d

Link:

https://www.unpac.me/results/4efbeaba-45d0-4daa-95af-59f5855987fc/

SH256 hash:

61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e

MD5 hash:

15ff9955368f9c4b2e5042bcccf84331

SHA1 hash:

42243d2d6cf54f11021262cf46346088d33e602b

Link:

https://www.unpac.me/results/4efbeaba-45d0-4daa-95af-59f5855987fc/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/61c75c0d5321/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.