MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61f4eee705342f7e875adc36c259693ec40a7682db74ab040b79dd189fffdf5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	61f4eee705342f7e875adc36c259693ec40a7682db74ab040b79dd189fffdf5a
SHA3-384 hash:	307ef9a3cb222d3801ad14c0a1c94a31242b734735e71caa4699f9b4cb3cdfe64164ca46980afce593d888b6a7a126ec
SHA1 hash:	b32f88e353427d321ca32e749363be34c156c478
MD5 hash:	a8e1a7def919d8b28273855f1453b810
humanhash:	yankee-xray-edward-gee
File name:	SWIFT MT 103 097436278.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	688'640 bytes
First seen:	2023-09-25 13:17:29 UTC
Last seen:	2023-09-25 14:31:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:tBjz7258yHGACwLfDEsrP/A0garkRCwfrfAp0vnGtGLhTxB/bCqzgTa3u:zjGwwLFrHAFpD7vnaGL
Threatray	5'781 similar samples on MalwareBazaar
TLSH	T1C6E4E08C7640B2EFC85BCA369B982D64E71075B7930BD203941726DE8E1D99BCF116F2
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b26969e8e8e8f0f0 (23 x AgentTesla, 13 x Formbook, 3 x SnakeKeylogger)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SWIFT MT 103 097436278.exe

Verdict:

Malicious activity

Analysis date:

2023-09-25 13:20:52 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/2f61d700-03f0-45c9-b735-3093b86102dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/451093/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.30299.12502.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6511888b83a0c6425dfedb4f/reports/97765445-93f2-431e-b54f-146b500f87b3/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/61f4eee705342f7e875adc36c259693ec40a7682db74ab040b79dd189fffdf5a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5466094c-536b-4c16-a49f-1bf496bc3655

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1313906

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/61f4eee705342f7e875adc36c259693ec40a7682db74ab040b79dd189fffdf5a/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-09-25 01:06:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mh2o5zyfgqxx5b223q3mewljh3cau5uc3n2kwbalphorrh7735na._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1024c5a32af1c1258ae59dd439ea7296f0bf4e85be62ba027afaff2adcf84256

AgentTesla

91c4358eb1c2c4d38b2c3e930eff281ab6cf22ae0200e4dfa49725fd4657e9f7

AgentTesla

b88f695c511fb7260c06b7e22c51dcea69ac6020cdfadaab785431d90047167e

AgentTesla

bbb9a417f02e708434b3737c20a59fa322c15b170be8befed9167c2f5573f2f0

AgentTesla

ca944d2c5a9eff2ec157e63cb5d4b756dd0abdc3c2bac0444b61419e4f225acf

AgentTesla

cd0e9bc33a68486a4e77ba0009de26524a62c27cc3b92cc1af054bb0a4af2d5d

AgentTesla

cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687

AgentTesla

ef0a41bf12a3085143abafdd6a05753acdfa9359cf4bd682d85b565fdeb00a22

AgentTesla

+ 5'771 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230925-qjybgagd23/

Behaviour

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

7e74294c70d3693c53abedcd4d36542f15c1117ca9aa00e7ba7b34b1e0876f26

MD5 hash:

dbd2c24fd6b239f498b71c327b423476

SHA1 hash:

fbbb41b6f47ae7630ef0f8d27689c1ec5923ed17

Link:

https://www.unpac.me/results/05bf3442-dbcb-40ae-9da3-42ebad109b6b/

SH256 hash:

8399eed8f5dc5fecc7916f402e8dae03d71d0534461faf22f7dc9ae3a12d8fd0

MD5 hash:

711e88662cf724813ef5482d656be0ac

SHA1 hash:

bd9955c989fca5c6add2ffc1949ad4477fbc25af

Detections:

AgentTesla

Link:

https://www.unpac.me/results/05bf3442-dbcb-40ae-9da3-42ebad109b6b/

SH256 hash:

abed99881ce1e05907653d1697ae232575d0cf067fd5cc646e2e5ee9f7337c82

MD5 hash:

491a7170bd8a7ed81d03a64ff2598bdf

SHA1 hash:

8325a5bccba80878a14032c06b78b34db808b910

Link:

https://www.unpac.me/results/05bf3442-dbcb-40ae-9da3-42ebad109b6b/

SH256 hash:

df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c

MD5 hash:

8383b9306b9b5929b0aed1f24991d929

SHA1 hash:

6acebb9f139a62de981a3ec15ce35f61f5c3132e

Link:

https://www.unpac.me/results/05bf3442-dbcb-40ae-9da3-42ebad109b6b/

SH256 hash:

61f4eee705342f7e875adc36c259693ec40a7682db74ab040b79dd189fffdf5a

MD5 hash:

a8e1a7def919d8b28273855f1453b810

SHA1 hash:

b32f88e353427d321ca32e749363be34c156c478

Link:

https://www.unpac.me/results/05bf3442-dbcb-40ae-9da3-42ebad109b6b/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/61f4eee70534/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/61f4eee705342f7e875adc36c259693ec40a7682db74ab040b79dd189fffdf5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/451093/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample