MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67c9655cbda8a8562a7696a60e493036757c15999195a6da534f972d6485a4d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	67c9655cbda8a8562a7696a60e493036757c15999195a6da534f972d6485a4d3
SHA3-384 hash:	1023f457f0e049d1a4f7ebd82dbad6308c9a98560636095dc59bc93ef516858db6e92409030c8352ebaa71378c98a44c
SHA1 hash:	95b5a9ce5a7f04e577786dad452c29a13f7a2423
MD5 hash:	f9e562fbff965e06d71064f32afa67f4
humanhash:	london-crazy-yellow-december
File name:	vbc.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	384'503 bytes
First seen:	2021-11-09 14:38:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:+bE/HUzstiTRl3ATmBBBJ8UU+xYN1n2+nMlI1CNzCb3wHwCdn9m/w0SYq7p:+bfstiv3+mBBBJlUuYL2+nMSMCbAHwGz
Threatray	12'549 similar samples on MalwareBazaar
TLSH	T102841242C1CCD0D7C15387B10D2636B9DB776D3A99109F0B8F82BE5C7AB2550963AE9C
File icon (PE):
dhash icon	32ceaeaeb2968eea (8 x SnakeKeylogger, 7 x AgentTesla, 6 x Formbook)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/204518/

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/618a8808dec3347825a078dc/reports/66d71f3d-e0cb-48b3-ab91-e2aa44290525/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b99a0442-3030-48cc-9a3e-77bbabb9a8ee

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/886088

Signature

.NET source code contains very large array initializations

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/67c9655cbda8a8562a7696a60e493036757c15999195a6da534f972d6485a4d3/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-09 14:37:54 UTC

AV detection:

15 of 27 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7ewkxf5vcufmktws2ta4sjqgz2xyfmzsgk2nwstj6ls2zefutjq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def

AgentTesla

58de41e1c48a304c1f7f289fe5c8976d82b8968aae89497adf7c60cda25deaaf

AgentTesla

611a2dfac3989c66b10815fe8d6a81d92554e0ce47ec3d5b6bdd7c91c4163a7e

AgentTesla

6f871f3642191d04e4fe20f022f738d89b3ad90b531cef6adde91d10f257431d

AgentTesla

7fb4a26d9f2c3a08c69d7f5838b7f88d8c6f31ab2aa69b130b150449baaea7ad

AgentTesla

84bbdc0b303d03c1ef4ee6d48dedd94181d8fc5650a20b557a555b0917aaf879

AgentTesla

e5c32739c115f51b0d7bf70fe1c50ca8253ee7ce97ef53d97582417e4bc093cb

AgentTesla

fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044

AgentTesla

+ 12'539 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/211109-rz96msfdf8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Uses the VBS compiler for execution

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

67c9655cbda8a8562a7696a60e493036757c15999195a6da534f972d6485a4d3

MD5 hash:

f9e562fbff965e06d71064f32afa67f4

SHA1 hash:

95b5a9ce5a7f04e577786dad452c29a13f7a2423

Link:

https://www.unpac.me/results/e69c4f01-d415-4f3d-8b2b-1f0c19d44d65/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/67c9655cbda8a8562a7696a60e493036757c15999195a6da534f972d6485a4d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/204518/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample