MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7
SHA3-384 hash: f201643be8855b0bf0e9d1034182af548f3ce9aa8939d31854945aeeefedae553c975701937f6c33b16bc85da227553e
SHA1 hash: 26d6a4ca1ebaf84173297aceb6cae7109a704ac4
MD5 hash: d4a7bb6784f76876a316e0cbbb13fcdb
humanhash: sierra-fanta-spaghetti-coffee
File name:Order Details.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:838'144 bytes
First seen:2023-03-10 06:42:02 UTC
Last seen:2023-03-10 08:31:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:CxBnKbL4tOK010j/RqFQ5LPssoeuzeSP8hxiNtrz:IBnK8dzRjCeMEQ
Threatray 1'300 similar samples on MalwareBazaar
TLSH T13A05BE446311A8BBCB6755BFF0522D28127CAD5EFEBCD6885945709B08EDFB408C29CB
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 68e8aab3b3e04468 (12 x AgentTesla, 5 x Loki, 3 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Details.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-10 06:43:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bdc9efb2-2ddb-43f9-b670-cb7aa6946a39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373206/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.842.22756.7159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/640ad14025f33fb2381ccd96/reports/25bc9c45-f25d-40cb-b464-64eaef0e2f23/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9cd31f38-d69d-4d38-8bab-0409f2fa0b47
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190920
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823796 Sample: Order_Details.pdf.exe Startdate: 10/03/2023 Architecture: WINDOWS Score: 100 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AgentTesla 2->59 61 3 other signatures 2->61 7 Order_Details.pdf.exe 7 2->7         started        11 SLRyiTNFBrSZ.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\SLRyiTNFBrSZ.exe, PE32 7->37 dropped 39 C:\Users\...\SLRyiTNFBrSZ.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpB8DE.tmp, XML 7->41 dropped 43 C:\Users\user\...\Order_Details.pdf.exe.log, ASCII 7->43 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->63 65 May check the online IP address of the machine 7->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->67 73 2 other signatures 7->73 13 Order_Details.pdf.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 20 7->19         started        21 schtasks.exe 1 7->21         started        69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 23 SLRyiTNFBrSZ.exe 11->23         started        25 schtasks.exe 11->25         started        27 SLRyiTNFBrSZ.exe 11->27         started        signatures5 process6 dnsIp7 45 api4.ipify.org 173.231.16.76, 443, 49695 WEBNXUS United States 13->45 47 192.168.2.1 unknown unknown 13->47 49 api.ipify.org 13->49 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        51 104.237.62.211, 443, 49696 WEBNXUS United States 23->51 53 api.ipify.org 23->53 75 Tries to steal Mail credentials (via file / registry access) 23->75 77 Tries to harvest and steal browser information (history, passwords, etc) 23->77 35 conhost.exe 25->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-10 05:40:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmr3tywxxk2aotmim262h7wcyogaajr6xstcg7jfthx53l5nlt3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19f2aeff7f118bf524c7af4260ee3f8796e33853e441e5d1b10f0a103923d8a9
AgentTesla
2539c6afb8cadcca6bff6d5c73e3d345577681b31de03809b7431c1f15ae85b8
AgentTesla
3221b60a97d6becffd25f5aadc1679400a41f91e2538f203761809f9dd65039d
AgentTesla
4097ec9b7e47872f529451d84c79c68d22016553e63c95162306354a1b15a9d1
AgentTesla
9450b0c1420aae6d8f00f22aa358eab37a25eaa209f9e28ead150cdcb0508023
AgentTesla
aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344
AgentTesla
be5cbf5518ebb028042f1339131a2955d248c63e05123e44adb751ec9366f299
AgentTesla
f7ff5363ab3abab34b14cd4a9962d092a506a00c0ceca50f8666aa3bd93da5d0
AgentTesla
+ 1'290 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230310-hgdv2sca32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b76d1a0b7a2675f548520c01fc2571119a1b6c620df814cb06c356079ac1bbb5
MD5 hash:
80a89c86d0811e799dcb559e7cb3d074
SHA1 hash:
e7b5ce1f1af031eda2e6abd6fdc4607c9c57a28c
Link:
https://www.unpac.me/results/fbaa1396-a2b0-4a96-b255-d7da98b3a2d8/
SH256 hash:
c234684a33231d86ca3a0c6459d4fc982bfd2516807b0022d9094868d2111719
MD5 hash:
33846e3d38c36db71b091f1d26d97491
SHA1 hash:
a92e54e4016e792bd11828e92c66684f69309ea2
Link:
https://www.unpac.me/results/fbaa1396-a2b0-4a96-b255-d7da98b3a2d8/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/fbaa1396-a2b0-4a96-b255-d7da98b3a2d8/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
134758ec8121408ca6d98071c3f712adba5f7be881e2c0f60abd364720f9a969
MD5 hash:
b78580c7b21c1a7c062280a3aeb07a63
SHA1 hash:
4079f4dc1252779ceadff44d16372869c70d99aa
Link:
https://www.unpac.me/results/fbaa1396-a2b0-4a96-b255-d7da98b3a2d8/
SH256 hash:
cf71767bd3ee6bcb90f3c92f4836193b39b28347597b5e1ef770a8a55bdac7dc
MD5 hash:
b5c11ae621115a290a20d5728cd7ba57
SHA1 hash:
1c67a3fc5ac6bdb422d292c3533ee96473b02a69
Link:
https://www.unpac.me/results/fbaa1396-a2b0-4a96-b255-d7da98b3a2d8/
SH256 hash:
6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7
MD5 hash:
d4a7bb6784f76876a316e0cbbb13fcdb
SHA1 hash:
26d6a4ca1ebaf84173297aceb6cae7109a704ac4
Link:
https://www.unpac.me/results/fbaa1396-a2b0-4a96-b255-d7da98b3a2d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6323b9e2d7ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/373206/

Comments