MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2
SHA3-384 hash: a388f065850f1c5e160e04c1bcfa89bc465584bfdfa45ec57922822d4f321242a7bf288720f073e7022ea86f73a25896
SHA1 hash: 0db16ed37a3f2bcb694d39e3e7e3247dea466ef7
MD5 hash: 1f055711a5f61041fc70c771ef852754
humanhash: papa-papa-music-river
File name:SecuriteInfo.com.Win32.CrypterX-gen.15427.15535
Download: download sample
Signature AgentTesla
Create hunting rule
File size:924'672 bytes
First seen:2024-03-08 09:20:25 UTC
Last seen:2024-03-18 13:17:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:89dF61Falig8mrEByYvZBBGT6KrLx1Y+:8hPX8mrQjvJGuKXx1Y
Threatray 611 similar samples on MalwareBazaar
TLSH T16515CFAC325079EFC46BCD769AA82C64FA6134BB530BD243A01705EC9A1DA97CF145F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
353
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2.exe
Verdict:
Malicious activity
Analysis date:
2024-03-08 09:25:18 UTC
Tags:
evasion agenttesla stealer
Link:
https://app.any.run/tasks/0ca70a7b-770c-4c9b-98fa-a3638c874cc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.15427.15535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Searching for the window
Sending an HTTP GET request
Changing a file
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65ead88087137159d436073d/reports/49a0ac09-f85f-42de-abb5-1ff36a00a29a/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d280a5b7-a47f-40a1-bc2b-f3a28b9b9aba
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1405313
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1405313 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 08/03/2024 Architecture: WINDOWS Score: 100 43 mail.wecaresvc.com 2->43 45 www.google.de 2->45 47 2 other IPs or domains 2->47 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 11 other signatures 2->67 8 SecuriteInfo.com.Win32.CrypterX-gen.15427.15535.exe 22 2->8         started        13 LVvBhEA.exe 19 2->13         started        signatures3 process4 dnsIp5 49 www.google.de 142.250.101.94, 443, 49712, 49719 GOOGLEUS United States 8->49 39 C:\Users\user\AppData\Roaming\LVvBhEA.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpE12C.tmp, XML 8->41 dropped 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->73 83 5 other signatures 8->83 15 SecuriteInfo.com.Win32.CrypterX-gen.15427.15535.exe 15 2 8->15         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->79 81 Machine Learning detection for dropped file 13->81 25 LVvBhEA.exe 13->25         started        27 schtasks.exe 13->27         started        file6 signatures7 process8 dnsIp9 51 ip-api.com 208.95.112.1, 49715, 49720, 80 TUT-ASUS United States 15->51 53 wecaresvc.com 103.138.106.17, 49718, 49721, 587 ABOVE-AS-APAboveNetCommunicationsTaiwanTW Taiwan; Republic of China (ROC) 15->53 29 WmiPrvSE.exe 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->55 57 Tries to steal Mail credentials (via file / registry access) 25->57 59 Tries to harvest and steal browser information (history, passwords, etc) 25->59 37 conhost.exe 27->37         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-03-08 08:24:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncdecnfgpbbkyl4ghx6zf3dk2zlhk4negztdwc6o3kpc54bcfxra._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
02c8eebae0079db6819c4f7d157715e362600d98a25a9f0c9c2bb26d4ef28752
AgentTesla
061d22ce82c411b7a7a101fcb6fd0836f420b1800a7e5b241089fc819cfd4451
AgentTesla
11d7212106c1e7d65ca5b3a3d6c197775e224c151b89900de265e6efcbb68322
AgentTesla
faf3f62dfe8cb253f9353473181163afce4bf199222d3731621c7972e87da49d
AgentTesla
+ 601 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240308-lbb12sbe47/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
a61e67516b60b6013f4873ef2879ef7a61c970d60155d2c6fb33bdad8a606233
MD5 hash:
dc5b2b0ff2c4b9bcfbe0221a2cd146d2
SHA1 hash:
caa205914439cfca105d89d58fbb73b2ca3c2f34
Link:
https://www.unpac.me/results/3cc9f083-a1c3-4b83-a246-c6057b1be97c/
SH256 hash:
b71208861384226004766dd5592edbb76a9604f93e5dc8d75a2424e767bea1ac
MD5 hash:
22e99efa3d44c1ec354e377b8e27faee
SHA1 hash:
9287e5db8d85112a1986f8e9928bcddfffd01b0c
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/3cc9f083-a1c3-4b83-a246-c6057b1be97c/
Parent samples :
bebb26a32c9db65ecd6e60f671873d09d5bc0e2321d3bac4651ec8c40c704058
2b9f20a668208149cc54154a7da1238620e1242310f4000a1198b14c0466b2b8
81ea5e0ffd1905e775255d57d6a3661516506c1433132292958da3b0916bbf4b
68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2
569f0d5aa49829d1b73b49dd9dab911ba5bb9e5697b62e1ef9fc0c1825ffbba6
fb7cddcabe7defcc11937a7c8d0672a6f65c3135574e1c71a0e772e9d1f19311
e97625746360793777ab1d7dc32d4259332c7f3c81a441eb7850234aabfdf23d
SH256 hash:
1d31adfc655363c064d20298a67212b1807670d7105e6a2bc81d8f410cf472d3
MD5 hash:
a90c3c13d7383918d6f8f73bb600e498
SHA1 hash:
67bb5ccbddef60ef2c9ea2caf16b9fcf9f4c6dc2
Link:
https://www.unpac.me/results/3cc9f083-a1c3-4b83-a246-c6057b1be97c/
SH256 hash:
7b4aff01a10e4b74fa42e9f3bfaca8108bba632d09a451ae59f5ebf3dc85eab1
MD5 hash:
6b75a59e836957c528b3cae0c6dcf678
SHA1 hash:
3a0f08b59fe711bf81c68221117c9410f310eb86
Link:
https://www.unpac.me/results/3cc9f083-a1c3-4b83-a246-c6057b1be97c/
SH256 hash:
68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2
MD5 hash:
1f055711a5f61041fc70c771ef852754
SHA1 hash:
0db16ed37a3f2bcb694d39e3e7e3247dea466ef7
Link:
https://www.unpac.me/results/3cc9f083-a1c3-4b83-a246-c6057b1be97c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/68864134a678/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments