MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1
SHA3-384 hash: 711ea8729e88dd9c1a3dc8706e4894f94035fdb8124d620781ee8ccd651befed244d49d7e6188a8a98529cc75578e144
SHA1 hash: 3e58d45bd8411ec2a0b5646688f2f9be6f14a954
MD5 hash: 0759f7fcda24b6700b71c67e7c4fdea4
humanhash: colorado-enemy-ceiling-princess
File name:rScannedCopies_IMG-PO889377390_Amendments.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:673'792 bytes
First seen:2023-07-14 12:23:22 UTC
Last seen:2023-07-14 12:41:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/x9hR5AITvJYjXaiUpxgj7n2Trkjc4iJt6geyBJQcrIXGZyVr:/x9hDAqvJ0XcY2aiWgeaPWr
Threatray 424 similar samples on MalwareBazaar
TLSH T1ADE4129A2DA5DE17C0ABABBC56A07330077D8BC07D66D31A1DCB70EF9613B810E10697
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70d2a28e3c626cb1 (4 x AgentTesla, 2 x Formbook, 1 x DarkCloud)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Scanned Copies _ IMG-PO#889377390_Amendments.r00
Verdict:
Malicious activity
Analysis date:
2023-07-13 11:39:20 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/01e9c105-f5f2-48b6-8255-2c1161232c8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418807/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68154620.10077.15835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/64b13e64a15fc7eb4fd2d92e/reports/78fcddd3-a1c4-4a48-959c-7a68e2665a14/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68fe0cb5-f5ad-463a-9c4f-48baabac1b4d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273175
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273175 Sample: rScannedCopies_IMG-PO889377... Startdate: 14/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 7 rScannedCopies_IMG-PO889377390_Amendments.exe 7 2->7         started        11 crzKeezIzQ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\crzKeezIzQ.exe, PE32 7->35 dropped 37 C:\Users\...\crzKeezIzQ.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp31A3.tmp, XML 7->39 dropped 41 rScannedCopies_IMG..._Amendments.exe.log, ASCII 7->41 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 65 Injects a PE file into a foreign processes 7->65 13 rScannedCopies_IMG-PO889377390_Amendments.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 21 crzKeezIzQ.exe 11->21         started        23 schtasks.exe 1 11->23         started        25 crzKeezIzQ.exe 11->25         started        27 crzKeezIzQ.exe 11->27         started        signatures5 process6 dnsIp7 43 sconengr.com 138.201.250.101, 49697, 49700, 587 HETZNER-ASDE Germany 13->43 45 mail.sconengr.com 13->45 47 192.168.2.1 unknown unknown 13->47 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        49 mail.sconengr.com 21->49 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->71 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 33 conhost.exe 23->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 17:09:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=myf6jq3hnykxz3734v425ma3wlwnrfsgnabrbo6zkaysqdqrzxyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2140b6d2a82895723e606280df1f1d1957353efd644967bb6c20ffa40a15a84b
AgentTesla
2dbe70cbbdcaf38adeeb141e74dd76d8c2bf2f3d3ad7d4e9b6ac2b75aac70b53
AgentTesla
48bd774210f381b63ba719ff062f5000c3e1ed8648f5df60530b2e65d5447c01
AgentTesla
51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b
AgentTesla
539c8b42e4c670a527dc2e3aa0154b7959c3c4a058f90582dd5e9284a27c43f8
AgentTesla
7d1cb09a0fb3d30d8b4503fac7cbd55b30446cc92911eae44132f9debfb39da5
AgentTesla
8c4e9d94fbe53a166f83db9ec983f39aacb95fb594536bd225f12518cc62865d
AgentTesla
c3d408d3ba7f6ea4acf913b8fd845e98c587fc8a6c67f48ef3542e3895ba7153
AgentTesla
cfcc1000b4f9705f95ba899a1aad91361497a18071396842986d1d40a03d5c6f
AgentTesla
+ 414 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230714-pk2jvaee31/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2da2a1c3519cb9536703b795aea5d867d2c466defa9c7db586b1b3c737abe709
MD5 hash:
c4684da0d27845cbdd4220c8dfe26304
SHA1 hash:
c8fa2202cd307b01d0077d0b63b8a6afe5de2795
Link:
https://www.unpac.me/results/ab8670e6-7c28-4214-bbcd-6eec2813e8d2/
SH256 hash:
435eea42007967487ebc55ca0e623f059566234da77d931eae4fae025e3aeebf
MD5 hash:
5ed7a5d997befa5bb15598f845163eeb
SHA1 hash:
c749f897540309e115dd1f7086fcde6fd971f20b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/ab8670e6-7c28-4214-bbcd-6eec2813e8d2/
Parent samples :
cfcc1000b4f9705f95ba899a1aad91361497a18071396842986d1d40a03d5c6f
2140b6d2a82895723e606280df1f1d1957353efd644967bb6c20ffa40a15a84b
660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/ab8670e6-7c28-4214-bbcd-6eec2813e8d2/
SH256 hash:
c4aff772e6c611236c5cb21c5d681fd6e06cb0c8dd15f334ca753c749124d970
MD5 hash:
7f3cc149facd2a4117a228f961f1323b
SHA1 hash:
794049af8722b252a40551def57336bb55e1700e
Link:
https://www.unpac.me/results/ab8670e6-7c28-4214-bbcd-6eec2813e8d2/
SH256 hash:
660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1
MD5 hash:
0759f7fcda24b6700b71c67e7c4fdea4
SHA1 hash:
3e58d45bd8411ec2a0b5646688f2f9be6f14a954
Link:
https://www.unpac.me/results/ab8670e6-7c28-4214-bbcd-6eec2813e8d2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/660be4c3676e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 660be4c3676e157ceffbe579aeb01bb2ecd89646680310bbd95031280e11cdf1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/418807/

Comments