MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6287b244e3888711717a3fe8613316fce70dbec3b54dc431ad953ba6f1270cc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6287b244e3888711717a3fe8613316fce70dbec3b54dc431ad953ba6f1270cc7
SHA3-384 hash: 896e076bb30e8704cd9e4d3789f3934fab7b5eb0c6242849992514a46962a9fb2f114c6d2ad4c4c1e39b28463fda211c
SHA1 hash: 20cb6cda2a4a1a4f9000a411a2b37943fe92e154
MD5 hash: 0837e44788e3054db05beaeb1cd125fe
humanhash: video-indigo-nevada-red
File name:SecuriteInfo.com.Win32.PWSX-gen.22902.28060
Download: download sample
Signature AgentTesla
Create hunting rule
File size:605'184 bytes
First seen:2022-11-30 09:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:wqxxXcULg7TOeZgebQyXDGL8YC2OfxAkGpZsr+Sln:wqzpk7TdVbQUDa81HfxoZ6l
Threatray 23'087 similar samples on MalwareBazaar
TLSH T112D4F762C7B1C946F93388EEA3DC6B554C6851C148A84849CC273E905E78CABF5FC9F9
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.22902.28060
Verdict:
Malicious activity
Analysis date:
2022-11-30 09:33:19 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/12592cc6-d9d5-4087-b1be-e00b5c50a4e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340006/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22902.28060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638722d7559d07a06f48b2cd/reports/7424c11d-b40a-49ed-8e80-35a207ec0b5a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31f35956-2022-426d-b1f4-9d46a0301480
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123785
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756511 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 8 other signatures 2->53 7 SecuriteInfo.com.Win32.PWSX-gen.22902.28060.exe 7 2->7         started        11 VLeDluxOZvK.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\VLeDluxOZvK.exe, PE32 7->37 dropped 39 C:\Users\...\VLeDluxOZvK.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp2128.tmp, XML 7->41 dropped 43 SecuriteInfo.com.W...22902.28060.exe.log, ASCII 7->43 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Writes to foreign memory regions 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 RegSvcs.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 23 RegSvcs.exe 11->23         started        25 schtasks.exe 11->25         started        27 RegSvcs.exe 11->27         started        signatures5 process6 dnsIp7 45 ftp.alonsorojasmudanzasnacionales.com 162.213.251.217, 12099, 21, 49695 NAMECHEAP-NETUS United States 13->45 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->71 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->75 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        77 Tries to harvest and steal ftp login credentials 23->77 79 Tries to harvest and steal browser information (history, passwords, etc) 23->79 81 Installs a global keyboard hook 23->81 35 conhost.exe 25->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6287b244e3888711717a3fe8613316fce70dbec3b54dc431ad953ba6f1270cc7/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 07:55:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkd3erhdrcdrc4l2h7ugcmyw7ttq3pwdwvg4imnnsu52n4jhbtdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07409207c9d9ff74fb335683ac5fc6060185619b28f318262460382c0078a1bf
AgentTesla
1015fb1f960c808990e8911a5a4de7ac50d31812a71dc298f357dc668a5b794b
AgentTesla
4a18558d47715d4869b75f738052786c8b85681aea3ff093002cd6b9dfd55c1c
AgentTesla
571b5a5b56217afed525b3602ef2b894650c6c419fc18e70bfe74e2973e207f2
AgentTesla
6b59d76199d1a4888ca721964f26a896bc50924c48cf358534c05e371b084458
AgentTesla
79824a68ef3795850a225075666622469f026c0f5e983af0e5d01c681270f85a
AgentTesla
eeabb0a04ea59624d05185afbbf4a1c8e5db554c0c325871c4c0ac5de34c5547
AgentTesla
+ 23'077 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221130-lg25esgg45/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6350bb36-945f-42e9-ac5e-11e53fb4a97a
Unpacked files
SH256 hash:
4b2de6032787eaa21448c11c5868d51b508f2ecbd8c38d40263fb89a51dd1b2c
MD5 hash:
1f4c3f65a16c1b5c4aaddebca58cf6fb
SHA1 hash:
e0d6501d80df8f5ec8004a3ac0265e060d545145
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/08f3a164-421f-4c6a-991d-3fe5a90a63c9/
Parent samples :
d2f993ff59a92848cfc6be4eb2f84423aec3736140da53cdb8fbf36d81c7c2f3
8e520f1ecc9ee00de91d22b0b66dcd59023efa5c8d89812801c36e4362b32539
bbbaabfbbaff1be76997a22ce42b0bba54f1c9579a12c485157d4d1606cc99d9
6287b244e3888711717a3fe8613316fce70dbec3b54dc431ad953ba6f1270cc7
3b104fc01064b1cf703af9e8483e0c81c972c8f9da8c7927efebc1ef6409d22e
cfdb6a52765c4f03471458ce196e160f320cc15223358b9e56266af135895173
f10dd98b11b51294979160959031a2087f00361c546d945d75a4c2fd7fac6c28
3fb98b057620b6aad473c5e6a67c38c601d05272db5128b108c77c22cfb2fce2
ed684b6619d2af10776e9f6e7e61ee30844d968e72f20754cab58c80c7a489af
d40d085b1c2f603ce77a22a4c0fc095b79eb62c477a4f8194576380249f61b99
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/08f3a164-421f-4c6a-991d-3fe5a90a63c9/
SH256 hash:
88bdcd2beb8d4b19000303ba19d817aae71586b452ffb16835615c93545d06af
MD5 hash:
2bfb4d0ea98a8564987c914aacbc2c7a
SHA1 hash:
793bffde5c3a4c55eef1177575d54e136b633707
Link:
https://www.unpac.me/results/08f3a164-421f-4c6a-991d-3fe5a90a63c9/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/08f3a164-421f-4c6a-991d-3fe5a90a63c9/
SH256 hash:
7e5ed630f5c71a5a486602127ac6dcecc0141e84d106fee59e2fda1a7dfdaaca
MD5 hash:
9f6eaf8bdc431b8bb131feb158909796
SHA1 hash:
2698fd60df35bc653d25b402271777a5b8d2f6a8
Link:
https://www.unpac.me/results/08f3a164-421f-4c6a-991d-3fe5a90a63c9/
SH256 hash:
6287b244e3888711717a3fe8613316fce70dbec3b54dc431ad953ba6f1270cc7
MD5 hash:
0837e44788e3054db05beaeb1cd125fe
SHA1 hash:
20cb6cda2a4a1a4f9000a411a2b37943fe92e154
Link:
https://www.unpac.me/results/08f3a164-421f-4c6a-991d-3fe5a90a63c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6287b244e3888711717a3fe8613316fce70dbec3b54dc431ad953ba6f1270cc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/340006/

Comments