MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f
SHA3-384 hash: 6b1364a546cdacc571624960b05f9c13437727717d080e63222c3f112b87197b53e70f5cc151f580b633c2a6ebf48d72
SHA1 hash: d4fcdb56a640f4c8f6972fa9d6631c56887a8f77
MD5 hash: 8387c7223cfe8957203165bcc1918f80
humanhash: connecticut-xray-whiskey-oven
File name:Doc-0710236-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'283'072 bytes
First seen:2023-01-16 09:30:55 UTC
Last seen:2023-01-16 11:41:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:4Wk3F+ZG9aihPSccB1GResj1MLnike5a2Nhqkxp/1SAywKlN71obN/AcPh:XEJ9aiRSc1ReTnCceFNkRSzJ
Threatray 19'838 similar samples on MalwareBazaar
TLSH T1025562DE02F404CBD22CA5B9A919EED09964EC74EB01CD15FD81FCCEAD723E61052DA6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8639db93e9cca4c8 (3 x AgentTesla, 1 x VectorStealer, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://198.98.55.114/ag7/inc/bb896bf04a14cd.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Doc-0710236-pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-16 09:38:25 UTC
Tags:
trojan rat agenttesla opendir stealer
Link:
https://app.any.run/tasks/62a46405-0297-4377-955e-11085e05a607

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353342/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.3576.31581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  10/10
Confidence:
83%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c5195aeceae563152d2c6e/reports/0dae54da-eaf7-4824-af3c-ddcaf344ead2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3bcb67f-4b49-4492-bf81-e6d8a63bef29
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152240
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 784973 Sample: Doc-0710236-pdf.exe Startdate: 16/01/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 8 other signatures 2->49 7 Doc-0710236-pdf.exe 6 2->7         started        11 ogJLyqFGkn.exe 5 2->11         started        process3 file4 29 C:\Users\user\AppData\...\ogJLyqFGkn.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp4963.tmp, XML 7->31 dropped 33 C:\Users\user\...\Doc-0710236-pdf.exe.log, ASCII 7->33 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 May check the online IP address of the machine 7->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->55 63 3 other signatures 7->63 13 Doc-0710236-pdf.exe 15 7 7->13         started        17 schtasks.exe 1 7->17         started        57 Antivirus detection for dropped file 11->57 59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 19 ogJLyqFGkn.exe 14 7 11->19         started        21 schtasks.exe 1 11->21         started        23 ogJLyqFGkn.exe 11->23         started        signatures5 process6 dnsIp7 35 198.98.55.114, 49701, 49702, 49705 PONYNETUS United States 13->35 37 api4.ipify.org 64.185.227.155, 443, 49700, 49704 WEBNXUS United States 13->37 39 api.ipify.org 13->39 65 Installs a global keyboard hook 13->65 25 conhost.exe 17->25         started        41 api.ipify.org 19->41 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->67 69 Tries to steal Mail credentials (via file / registry access) 19->69 71 Tries to harvest and steal browser information (history, passwords, etc) 19->71 27 conhost.exe 21->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f/
Threat name:
Win32.Trojan.Olock
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 09:31:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
12 of 39 (30.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=myapfri66iz2evgilqfda4hltkaqizus3wmrrxstee6chytkom7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
11b9f67eb281cdf13dae80e0e6b549755355ffe3774a0ee63f902adf522615c3
AgentTesla
175b18fc4d1ce73099a94c25d5fee0af5704e47b37803137368bdf416fc8a364
AgentTesla
5a4d6959bab110d8c072b3c901e22463388ffb87c673243da8cd5c4064ab7ec6
AgentTesla
6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4
AgentTesla
6e90c85fbcfa669738f0d090ebe3f5dceb5b4796cd523c3f51cc956af3a20cdf
AgentTesla
a1b4b59ce0ed13e04420c13bfcb67c099ba6b60d1f7710d85fb4c8eb071bbc39
AgentTesla
ae962654831c5e0f03bbe7764978c5044ee708f93eb7e485e2e86ec860b8fab5
AgentTesla
ce5c147f75c354710869fde43cdc99afb90de8f43d5a0a58cd7456ade759b110
AgentTesla
de7da8b54474a61449ac0c8a9feebc5708d73e8cf14bd2b74125d20cdf67bb84
AgentTesla
e19bcbf0c3ca0fe5e246cede2ef4ee264d0908faf4ca4b39aeb687c443f85f91
AgentTesla
+ 19'828 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230116-lg32qagg8z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6ebb434ccdfb2696c4cbc87bf27e0c5517def9c486658d46aa81ac7d633b132f
MD5 hash:
9b3cef4ee8a8feb04a57a7dc372462f6
SHA1 hash:
a73b9be4037820979fb7edd49c1deb9b9ec3ae24
Link:
https://www.unpac.me/results/9ab7a05f-deb2-4ca8-afbf-f9b2bfe997da/
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/9ab7a05f-deb2-4ca8-afbf-f9b2bfe997da/
SH256 hash:
6d6605f37861616b61c4965894f591fc0cb34f6806c2b91f78d29ba1f430f60d
MD5 hash:
9f1c02bd5cd9d432266a350ac3be01d3
SHA1 hash:
0a6f731ccd958841dc8d338356973d030400a54c
Link:
https://www.unpac.me/results/9ab7a05f-deb2-4ca8-afbf-f9b2bfe997da/
SH256 hash:
6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f
MD5 hash:
8387c7223cfe8957203165bcc1918f80
SHA1 hash:
d4fcdb56a640f4c8f6972fa9d6631c56887a8f77
Link:
https://www.unpac.me/results/9ab7a05f-deb2-4ca8-afbf-f9b2bfe997da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6600f2c51ef2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353342/

Comments