MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
SHA3-384 hash: 7d5e720dae746819ea934d09bb1e938fcf599b47ba036e76034525fac4d0e12facb1624aa59d8b27eb27d1ef2bbff5e3
SHA1 hash: afb9a6a58c652265bbd68a26f7130c9e79dc2144
MD5 hash: 618c0b740f1582b5dde2be66375ceedb
humanhash: finch-october-river-mars
File name:SKM_C257i24092511530Kaplama.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:845'312 bytes
First seen:2024-10-02 09:21:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:LTvIyOad8tBn1jfWXiJ9qvx6m/Bex8UOf6Giu+9DDRv:PvIfad8tZ1jfWSJIv4mJeLOp+5F
Threatray 3'015 similar samples on MalwareBazaar
TLSH T19A059CD076392B05DD795BB09429DDB183B12929B019F6D60CCAFBFB35A87035A08F4B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SKM_C257i24092511530Kaplama.pdf.exe
Verdict:
Malicious activity
Analysis date:
2024-10-02 09:40:48 UTC
Tags:
stealer agenttesla exfiltration smtp
Link:
https://app.any.run/tasks/c0418108-8c5a-456f-bff4-b4faf76c2e7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fd10bc780a9b632d227659
Tags:
Powershell Underscore Lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
89%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/66fd10bd88188863f38dae64/reports/ff919191-0823-48a1-b7aa-92a88af40c3c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/596b2a17-d8bb-4184-803d-d6f91d2ca6a6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524000
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524000 Sample: SKM_C257i24092511530Kaplama... Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 49 mail.musabody.com 2->49 51 206.23.85.13.in-addr.arpa 2->51 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 8 SKM_C257i24092511530Kaplama.pdf.exe 4 2->8         started        12 ctsdvwT.exe 3 2->12         started        14 ctsdvwT.exe 2 2->14         started        signatures3 process4 file5 45 SKM_C257i24092511530Kaplama.pdf.exe.log, ASCII 8->45 dropped 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->71 73 Adds a directory exclusion to Windows Defender 8->73 75 Injects a PE file into a foreign processes 8->75 16 SKM_C257i24092511530Kaplama.pdf.exe 1 5 8->16         started        21 powershell.exe 21 8->21         started        23 SKM_C257i24092511530Kaplama.pdf.exe 8->23         started        77 Multi AV Scanner detection for dropped file 12->77 79 Machine Learning detection for dropped file 12->79 81 Contains functionality to register a low level keyboard hook 12->81 25 ctsdvwT.exe 2 12->25         started        27 ctsdvwT.exe 12->27         started        29 ctsdvwT.exe 14->29         started        31 ctsdvwT.exe 14->31         started        33 ctsdvwT.exe 14->33         started        35 ctsdvwT.exe 14->35         started        signatures6 process7 dnsIp8 47 mail.musabody.com 108.167.140.123, 587, 64170 UNIFIEDLAYER-AS-1US United States 16->47 41 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 16->41 dropped 43 C:\Users\user\...\ctsdvwT.exe:Zone.Identifier, ASCII 16->43 dropped 53 Tries to steal Mail credentials (via file / registry access) 16->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->55 57 Installs a global keyboard hook 16->57 59 Loading BitLocker PowerShell Module 21->59 37 WmiPrvSE.exe 21->37         started        39 conhost.exe 21->39         started        61 Tries to harvest and steal browser information (history, passwords, etc) 29->61 file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeyLogger
Create hunting rule
Status:
Malicious
First seen:
2024-10-02 09:22:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbaro3aoizzsyoeg66iiuww7o6tnntqte4tivh6lp4waeyqtfzaq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
unknown_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
AgentTesla
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
AgentTesla
7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c
AgentTesla
ba5b16c28def8e5d0ea0a09bf25b4d980fe89e3537f7034d775ccdf3bd9f5035
AgentTesla
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
AgentTesla
error
AgentTesla
+ 3'005 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/241002-lbwqfsydnk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6a1524f-3eb1-404d-8eaa-8c415f9b96e2
Unpacked files
SH256 hash:
329fc3ab0b9cf28cf3124788bd07d8e5aa1349d16d9eaeee03cbe2eeb244a8c2
MD5 hash:
478e54ca81a01c6d79fa4adc9b6cc984
SHA1 hash:
ba42b119eea964ef0a8368d6750ebbcee17b62cf
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/8afe343c-ddfd-490d-ad83-7d9036df98f9/
Parent samples :
8f5a7bde1dd7ca484c1b41d1096e562e5db6214d4633861c849b350753ccce81
198ff208a336939bc2623042646023f39ef7d0d39f1eb7ec4fe27ac3caef404b
ed8a3593d056c5afa99fc4331390b42645b3800fa98e5b5e0089f7e3260ba283
28cc41b32461784fcf2bcb6d66d4ad44cdf10edd2dd8d2b2712e901d1d44ce99
21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6
aa667be19c861a59464088524698c0097d5d8a461bae61f3c5c99b4fcaef4838
88fc5d96ebc31042f41c8d80e87a1d6b8c4fabe33f11717dbf417f969604af70
72629b026d1626923f7d3280d0dabb7c1a9ee869b7ce9ec2f02c949544c8326f
a2cdc2f4fcad4c6b982674a1b3b86a0f7bcdb7c8f18c1183799d70777c726859
f7d4eed71f2bdb8ac845990506c335bb64af5877df1925794b000d4a7cf88b84
aa607c36d804e2544b7816ca4cbcfaba72506fbe5f801e7f07d5a9719c9bc633
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
bd6f2b6c65e5e3b5385eefbb2cb768e4f145106885dff956cf56815134550df9
ee68537c1249686c83087d4771e9d5b6b6888a48fcdaba7b450fc7541e0331de
7a6d0f4a00f827cf525de3d0028ffc70e2114315bcddd1298a719ddf74eb98d6
SH256 hash:
d2174ddc2b6341b898b939fa0661d2a1cd8d485f5237427331f0d889672fbe7e
MD5 hash:
221f891053c35a694d7b442b7909d086
SHA1 hash:
81cb6829a184bae91927dc8b57744e895355b281
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8afe343c-ddfd-490d-ad83-7d9036df98f9/
Parent samples :
509070cd30eb4cb05c29fe8cb222166c1c7db0f6084ea5b91e37bac79c14ac30
7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c
97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
6b8c990c92c37f014fc93efd79c6fbb3a22e8da7961e9333644bfeac353a2ae2
49a6d4dde10788e5000df6a0fad4be9ab17567fd1314b64c3d7be0257adcbc65
72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
5ea66e4e338b5ded7b00ad1575010d7c1149341323a646069f3b00a518f300d5
c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
c6ae41874ccd5d6c3e6da49cae6d0a0e8eee20e7037896b38f1e4523dd9543c8
08d86feee2707af5c57b4ffa8663c0e447c7425c39a103906cf15eae7cf1df9d
a433aa981a5cbfd5fae678c523b088d034f61f57dcb61232fbaba73657867b36
2095af004e76f0cf7243b68e868eeb3b9c8c157d632aa785a87a93addf3b75fc
9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
822e06191849b35415693155a46edff39c41db14f3dce949120456c1b7b55892
79bcad797129c0be508de0fe7b0462b1aaffbafa74a4e7019a4561deb674f4bd
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
156b1cea1a2f649e332be482047de3d368f5f7b7e93eb4821692ada17a69fc75
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9
3e26ebdfbd46dadcbf46c199970362689fa6ca0e0abb65ec703ca21d08b7269f
3279f79164633c0881c50971c98ca39bc9367111410f77582700468f2c0e3dd1
38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
b92304c2e680f54345fa77f77b0c507f93d05d43547e819d2ebf53a31e48ac97
f25dc80bfc742a0e8091d216ecbc033d93e71d43b31bbefb3ec9ef6cfc637cee
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
1cbf1a11cb59b7a4135093c3e6b11be6b81ba57fb30707de145a1d41506760a6
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
d55b00b7cb5305371e1cc170179e7025cc517b810e57992adab16893b410985e
12af745dd8353b25857dc4bd3d3282f21c960ab55d3dece7e62d7a10a9aae810
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
520fe428b0afdaf20673224c5004c004ab1d1dfd492cc54a37e362af8a844005
8f49d498d3ed3ff8f66d7f22a4ab6b7747e2e799662ee75b2019304e5dbc6dde
884c0261a0c4ff07790fa549a0dc1d752bd97ef3e0635536193c585a291a7281
368305c8a62f4edc3ab1b94d1242e5438b7d7c14a6c65f7beb4aad32b1984821
c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
8b528f3a173e7e40394c21bb0cfa0304ef12b58ab185de1da8e4b4e5231eee8a
afef519b2380d9483a1b51eaccf235593140a75641e5a469d130f2d48ffd5268
a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
ddad2801522370c2ca5c4ec41663b36a88ef6be171867f23f084c0fa6ecb1055
5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618
02abb1d01386d7d7ffd8debc2c0fb09baebb82d88b8f758e4de3f0deaaecfbf9
65b4919d036f5dc3a1dfe9b62510ed4e578a87dccf862df6fbb8524894c2965d
a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4
780354ea81fa066b085767d98d878a9b891f7febea281d2e09577b424a6ab47d
b9f4537fa4b470f09cc62c1c706004604498c9405e638712eb4f2ea6a6b1876d
4ed81a9a25e52a99d76805b081679cfe3628756be4bda6a47e365506c7df3a0c
3376b495c19dc3e179dfb2ef072a362c2d26ed59b06266dd7dbf080a80a005f6
0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
01ab4d20ae687b065b10fdf3f3243a46a320dcec4b3a9a8e0cafcc0878aa1800
bf4ab91b352744a5ac16ef96f4c25405b993ded0aeaed9c09efbddab513877b9
b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
03b5cfab3f0ffdf96e415006004be9a0c05e6365e1d5834984cfd5cea9df85fe
3d4bfc47bd88ef39e0780482a1b0fde1cd85772ddce25d9905d88d48b5b96a4a
e407720bcc7f5845bb9cf84c1c1209ef6e2afd339518359f86944c5f6e019b09
e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
20f9d4cf5cd85fa7cf0d58b55409f75f9af0b952d3b573bffdd21966d9a3f396
SH256 hash:
504f0a43140e475ae729575a047961cbce146b9d54b88948c42e95e335843ad8
MD5 hash:
435b5ede645144325c49520f7d781bc2
SHA1 hash:
4ed9e6924782edfa8ad51a92b313320e45740914
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8afe343c-ddfd-490d-ad83-7d9036df98f9/
SH256 hash:
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
MD5 hash:
618c0b740f1582b5dde2be66375ceedb
SHA1 hash:
afb9a6a58c652265bbd68a26f7130c9e79dc2144
Link:
https://www.unpac.me/results/8afe343c-ddfd-490d-ad83-7d9036df98f9/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6841176c0e46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments