MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
SHA3-384 hash: 19872563268cc517de63e24fed0960511355ad4f5929a574b7a2cec246dc82bf0ccf21f1ed2b178f6674519de912ce38
SHA1 hash: c9e898e4c7c9026f0fded242d499ddb61b69a639
MD5 hash: 4865f16a685bc3b34a91f595247f30e7
humanhash: georgia-magnesium-mobile-uranus
File name:shipment 04629673893.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:760'832 bytes
First seen:2024-06-11 19:19:28 UTC
Last seen:2024-06-11 20:32:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:Qt1esNS+7GrRybegXjup/inqt0qKmwRZ5J+:ri7GrRyKTNh0awr5Y
Threatray 120 similar samples on MalwareBazaar
TLSH T18FF45B1D3DAD89E3C364D577DBE2D226B3634F567722CA6920C213620E0E356ACCB15E
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 017896b3a3361821 (10 x Formbook, 9 x AgentTesla, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057.exe
Verdict:
Malicious activity
Analysis date:
2024-06-11 20:07:13 UTC
Tags:
evasion telegram exfiltration stealer agenttesla
Link:
https://app.any.run/tasks/f8bfec34-4976-4c4b-a790-1aed131a28a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1904.12712.13804.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6668a6ada439c6d6b087823dwin10vpnfull_triage
Tags:
Generic Infostealer Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade net_reactor packed packed vbnet
Link:
https://www.filescan.io/uploads/6668a36621581a92819c4a78/reports/d97b44b7-b844-4def-bceb-955c8fc49223/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbed5c5b-11ee-4bc1-be8e-7337e6d644c6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455517
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 13:27:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ms3oubqhgq2wwgjszps7euv2t63bnfyxucvx3wighm7odhdrwblq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2b99095636ec250358f5abd47474a374de96f743fc2fadb89642401301e6b670
AgentTesla
4b0d7d7932c2361c099955820fefc4636459c3ea3b155746fc04a7193d96e5b3
AgentTesla
64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
AgentTesla
ed926217f9c0ac06a4349c5a3e2b0bbd8e8d162fc20cb6083a7f86457690af6b
AgentTesla
ffd8881c0f42c9d269430cd6ea2b9523be726a688a13a346389b1f4eebab68e8
AgentTesla
+ 110 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240611-x14m5syaqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5970985875:AAGxcS7riy4ZlEmFj2Z031AsUoRvment2iI/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/961294f9-0860-4470-9dd3-006042f568fc
Unpacked files
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/f6ea4124-c375-4951-b738-488b7eef31e2/
SH256 hash:
42e5becfeca39dfa3694795db2446660c538b6877cbd4705ed097afa81b4a839
MD5 hash:
4cf8d3ba87065ebecc05f7bb57d2f72b
SHA1 hash:
4ebb09f0ddb3802dcd9903b588e602ec2cee4f75
Detections:
AgentTesla
Create hunting rule
MALWARE_Win_AgentTeslaV3
Create hunting rule
Link:
https://www.unpac.me/results/f6ea4124-c375-4951-b738-488b7eef31e2/
Parent samples :
9bbde4505ae5917c4068f53e4d85edc007bc93756be890dd112eae08a7e20e7c
b35cf0015d7ba7c4fd4a321e0f11ecbf7574359837a9d83166a651693141fd44
e31c608e7f7c15f3783ce3a0f60de2df28ac15195aa873d74feacfac98d2b0fb
969ed693de96feb146e36af913007eafca1fde166ccab5ebf191f0152acfd2a4
26ef0814a002bedcc9770f2b3c5c79787fd036c7bf9f48691a26fa2bfbd9043e
ea42fae9b34496f705c464ea47422432c07987c16dfc353a928771bad6bba029
8905801a8273b80a87ba32aa8d1bc2897178561ea39f82b387c746ec7241e0ec
b8d274e8109135f08ca54076322f97c8fb2ae345a51939205e4630a11a984ca3
59e57cffbe59a4a8dd48220345e022b41deb60654705a518a0a74d5c86496951
1cd323bfff08daf001361fb642f30bf06ccda8d78d01c77727d80774a283b269
ea6ca8b50b5fa2bb41ccca9076020cc9ce9e53068fa85cb1be11d1ef1a3c591a
64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
SH256 hash:
fcf1ecae9286caf8d482ae078be5df74bd0fb021ed04498f2a65e36a12cf5d12
MD5 hash:
111658faeb20b8f3b28314b9a865be0d
SHA1 hash:
1e2a8bc37d17d04f08dcb139770d9197dea66f08
Link:
https://www.unpac.me/results/f6ea4124-c375-4951-b738-488b7eef31e2/
SH256 hash:
64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
MD5 hash:
4865f16a685bc3b34a91f595247f30e7
SHA1 hash:
c9e898e4c7c9026f0fded242d499ddb61b69a639
Link:
https://www.unpac.me/results/f6ea4124-c375-4951-b738-488b7eef31e2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64b6ea060734/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments