MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6767a5edb173efe175bf59ca5c85d0e9c24874a96046b8cfa0cb77fc0fb8db95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6767a5edb173efe175bf59ca5c85d0e9c24874a96046b8cfa0cb77fc0fb8db95
SHA3-384 hash: ae1c99ec854dd0c7e4f3fae227bbe562cef7de7b525cdc59b068dfa87df2e43b60c1a49cd9a4e3263f65497e3928ccd8
SHA1 hash: 38f36273ed7f508c650e5c8ba541a29e313ad138
MD5 hash: c8f9c5b34a7abe2b483329c2fca51866
humanhash: mars-river-apart-bluebird
File name:purchase order -0034287.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:885'248 bytes
First seen:2022-03-02 15:43:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:wR/I3+SBumUI1CT+/hsFg4PlQslEaBoYoKlA2oTvTaTl1Fkq+VlvhkbBZu:GSlUIoT+WPlzlEaXo0UaJ1FMk98
Threatray 15'932 similar samples on MalwareBazaar
TLSH T19215CF0839E65039F93A8BF1CAC0EBF1DB6EF221E58934F554000E155A56BBC8946EFD
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246375/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/621f90c50cd58dbd92639d32/reports/0001bb20-c4a6-479c-9568-6ad758abfbf6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04093079-fb62-4b27-8805-dfc94e8c8084
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949250
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 581728 Sample: purchase order -0034287.pdf.exe Startdate: 02/03/2022 Architecture: WINDOWS Score: 100 29 us2.smtp.mailhostbox.com 2->29 31 store-images.s-microsoft.com 2->31 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AgentTesla 2->41 43 10 other signatures 2->43 7 purchase order -0034287.pdf.exe 3 2->7         started        10 YYtJku.exe 3 2->10         started        13 YYtJku.exe 2 2->13         started        signatures3 process4 file5 23 C:\...\purchase order -0034287.pdf.exe.log, ASCII 7->23 dropped 15 purchase order -0034287.pdf.exe 2 5 7->15         started        45 Multi AV Scanner detection for dropped file 10->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->47 49 Machine Learning detection for dropped file 10->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->51 19 YYtJku.exe 2 10->19         started        21 YYtJku.exe 13->21         started        signatures6 process7 file8 25 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 15->25 dropped 27 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 15->27 dropped 33 Moves itself to temp directory 15->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->35 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6767a5edb173efe175bf59ca5c85d0e9c24874a96046b8cfa0cb77fc0fb8db95/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 09:05:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5t2l3nropx6c5n7lhffzboq5hbeq5fjmbdlrt5azn37yd5y3okq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
129508fd40808bbe6d89a6a63054d0ef88ba98c987ce8b0bb4318d624e2ebb51
AgentTesla
68adf1593246aa30e26bcabf3dd8bc48f17212a2e6cef3bf9bfe0ce5e2625af3
AgentTesla
96b067e320b73d73d44df9a4ccc7041deec2059fb26a2efa50a877a528ada172
AgentTesla
a5cb176175e29f72f93c59e48a8bbf5e51c6c33dd9570bb71b4c2fbe2cb2e2c2
AgentTesla
affc0b05066b707066143310ffac765065b7c7fdcd5d4319885681f730f90000
AgentTesla
b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
AgentTesla
c33cfc3f4bb960a35be3e998d07557eaceb960f9950eeb2c99ae367874e771c5
AgentTesla
d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63
AgentTesla
+ 15'922 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220302-s6hkmsfdf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1b041e3388b07a6774e4ef19e3fe3f99ff7f037729c16f595a2c347326a6fa82
MD5 hash:
fd8d3b0a7b4f24dcf285d3f27537c747
SHA1 hash:
9eef579aaf8ab66adfc0dd665a893b0fb2c67f45
Link:
https://www.unpac.me/results/2f827754-846d-4d60-801b-f3ab6e73252d/
SH256 hash:
293645a7fddceadf13a1da875c97e92489c6839cd4527c8dda3f3f949050ee41
MD5 hash:
a85c20d81e2f958c99f78ca88d24ce2e
SHA1 hash:
9a7b9b2963dccc04d7c1a222ed8e5323dbf7156d
Link:
https://www.unpac.me/results/2f827754-846d-4d60-801b-f3ab6e73252d/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/2f827754-846d-4d60-801b-f3ab6e73252d/
SH256 hash:
55035e1d9a42f37b7d766791f1802cfd6f8e496c43fd55e4f765b7eefe85ceaf
MD5 hash:
8fac002adf01707ffff574dd0de9733a
SHA1 hash:
260e6f19c28765f7e8ee51a0d24bfd1c4de80971
Link:
https://www.unpac.me/results/2f827754-846d-4d60-801b-f3ab6e73252d/
SH256 hash:
6767a5edb173efe175bf59ca5c85d0e9c24874a96046b8cfa0cb77fc0fb8db95
MD5 hash:
c8f9c5b34a7abe2b483329c2fca51866
SHA1 hash:
38f36273ed7f508c650e5c8ba541a29e313ad138
Link:
https://www.unpac.me/results/2f827754-846d-4d60-801b-f3ab6e73252d/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6767a5edb173/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6767a5edb173efe175bf59ca5c85d0e9c24874a96046b8cfa0cb77fc0fb8db95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6767a5edb173efe175bf59ca5c85d0e9c24874a96046b8cfa0cb77fc0fb8db95

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/246375/

Comments