MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436
SHA3-384 hash: 611288e2db2c053327c63e073dc93160ab06beb56d18b4e7762d7e59c5100a7ed2c44526ad6e4bbcce09c233eb3c8b44
SHA1 hash: c0eed19977aa5f6100804d2e431d6bb5bef69daa
MD5 hash: eae8d9e270bc65f3cfcc90b97083d4b9
humanhash: may-oscar-alabama-bakerloo
File name:CWXMF230300599.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:705'536 bytes
First seen:2023-10-24 05:41:53 UTC
Last seen:2023-10-24 05:42:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:sHTBGjiqmtBWT6HTEiGmmzSNdP6BeuboLRMQeIgXZQR:uOiqmtB6GEiLm6658LiQhaZ6
Threatray 699 similar samples on MalwareBazaar
TLSH T1F7E4BF1921EB14D2CB3AD7BBC3D92749C97EF171519B722E2E9912F98052F01EF02636
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
CWXMF230300599.exe
Verdict:
Malicious activity
Analysis date:
2023-10-24 06:28:12 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/b0ebad5b-a608-44b3-b215-77422600414b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455863/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.21787.21471.28488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bladabindi packed
Link:
https://www.filescan.io/uploads/6537592d43f333232fb23df8/reports/437d1f81-f3d2-42b8-b7c2-255b02a22bea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48d32c18-2bfd-4bdc-954b-219586e2cfd6
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331032
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331032 Sample: CWXMF230300599.exe Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 32 mail.komturmetal.com 2->32 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 10 other signatures 2->42 8 CWXMF230300599.exe 6 2->8         started        12 XgkmIgCpN.exe 5 2->12         started        signatures3 process4 file5 28 C:\Users\user\AppData\Roaming\XgkmIgCpN.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmp58AE.tmp, XML 8->30 dropped 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 8->48 56 2 other signatures 8->56 14 RegSvcs.exe 2 8->14         started        18 schtasks.exe 1 8->18         started        50 Antivirus detection for dropped file 12->50 52 Multi AV Scanner detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 20 RegSvcs.exe 2 12->20         started        22 schtasks.exe 1 12->22         started        signatures6 process7 dnsIp8 34 mail.komturmetal.com 78.135.106.233, 49715, 49716, 49717 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 14->34 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->60 62 Tries to steal Mail credentials (via file / registry access) 14->62 24 conhost.exe 18->24         started        64 Tries to harvest and steal browser information (history, passwords, etc) 20->64 26 conhost.exe 22->26         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-10-16 03:31:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7git6ckn2epdn2lzyu6nah3fzsndiaqimyovhorz5lxbvr46q3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3919ad1d9e40d234f221440b20a11e1ee317824c4209238c81c83c9299de5762
AgentTesla
514b7b027e522406396244bfcd1bf8cdd60b967fd99bc9b8bce226dc0eb6e93d
AgentTesla
67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436
AgentTesla
afebc44291db59603826cac90112a97e371aa65fdd92c6da15363253e2dac27d
AgentTesla
c1d57ced264a612aa7069940bd8bc2ad9b1b5d66cf8258ed58027b6101d60e28
AgentTesla
c6efcafa1919f03c1c4039960fe44a4c92c93e53ec8497c7e192f002470aec30
AgentTesla
ea652ce006bdff45184664a2c691ca5c6256fc1a686dfa8721cf5a9d2e1f4593
AgentTesla
ffb16c9e23092b4194b076ed1a8fb847e65051329b025c99ff06088dd760e5a8
AgentTesla
+ 689 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231024-gd1pzaah7w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
9619c137f9b9130d8853077f90c6760d5c725d011872661f7d48b89bd766fb99
MD5 hash:
20c12a9f7274d38546e2299699f27de0
SHA1 hash:
e7500c3f66c9a2e2973483b70cc6027aa754cb6c
Link:
https://www.unpac.me/results/ad47b47a-c828-4890-af05-9e7b22c6758e/
SH256 hash:
6b6f0d0008346e351a105a7839d85b9aaae5b3c957c28618dcbc347c5c9db77f
MD5 hash:
fc82262057015206c59954e04996f8ac
SHA1 hash:
8650746ca799d0bc8020a5383b03b3d747ee889b
Link:
https://www.unpac.me/results/ad47b47a-c828-4890-af05-9e7b22c6758e/
SH256 hash:
5be37601582d0a5f58b8357044a84a41ce3bd642b5328636dfa4c0a2d9753e48
MD5 hash:
3b9feca99b87894581e35c8c906b9637
SHA1 hash:
5a5d79ea0c213e1fd9e16acf457c63d0911f1225
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/ad47b47a-c828-4890-af05-9e7b22c6758e/
SH256 hash:
67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436
MD5 hash:
eae8d9e270bc65f3cfcc90b97083d4b9
SHA1 hash:
c0eed19977aa5f6100804d2e431d6bb5bef69daa
Link:
https://www.unpac.me/results/ad47b47a-c828-4890-af05-9e7b22c6758e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67cc89f84a6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ffb71d83f9cc2988a320f5b2eb36e2eae9468bf5a3ebd84450308d9ab2c857bd

AgentTesla

Executable exe 67cc89f84a6e88f1b74bce29e680fb2e64d1a0104330ea9dd1cf5770d63cf436

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ffb71d83f9cc2988a320f5b2eb36e2eae9468bf5a3ebd84450308d9ab2c857bd
  
Dropped by
SHA256 68b1995581ea92e0af7f2ebce146d2b8aefb8d043dba22daf1b8f8f736488b3d
Cape
Cape
https://www.capesandbox.com/analysis/455863/
  
Dropped by
MD5 d1467203cbb71637889770012c5b91c2
  
Dropped by
MD5 ce7c40bf265967c206934198953d5ea5

Comments