MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68985dc9afb662122f34324cd3738b6c6b91b6b046c58d3cab3b350113757105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68985dc9afb662122f34324cd3738b6c6b91b6b046c58d3cab3b350113757105
SHA3-384 hash: 5d05d955c2039b5bf153dd008ddba83239dbe8ab09bc882217fac086b8e04cad410227eb4a780eddbc9b8663e709f8a1
SHA1 hash: b2c8784f044522aef0cc251ee20927a9b61f74f0
MD5 hash: eaaa2689756daf3340c3efa22088e90e
humanhash: august-carpet-solar-queen
File name:eaaa2689756daf3340c3efa22088e90e
Download: download sample
Signature AgentTesla
Create hunting rule
File size:896'000 bytes
First seen:2022-02-17 18:22:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:XhbrlIGBjTEMXJKaheLUzvol29RvcYvfh+Zz/4CS:RXlIOTEMZKjLUrOODIzQC
Threatray 14'858 similar samples on MalwareBazaar
TLSH T11D15BE5631FF1056C3A2EBF20BD8ECBF866EF173520F753935C22A4A8765A408A42775
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242363/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.57439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/620e92a6ac8ad0468b4cdc45/reports/dd4e3421-c190-4758-8a20-cbf29f2f0122/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8f8de51-eb0a-4123-8ef1-aeed31318dc7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941814
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 574299 Sample: 1mgut0pGHX Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 47 opexgroup.com 2->47 49 mail.opexgroup.com 2->49 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 8 other signatures 2->61 8 1mgut0pGHX.exe 7 2->8         started        12 gbHkPcl.exe 5 2->12         started        14 gbHkPcl.exe 2->14         started        signatures3 process4 dnsIp5 41 C:\Users\user\AppData\...\IHDaPdjTweFSEt.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmp3837.tmp, XML 8->43 dropped 45 C:\Users\user\AppData\...\1mgut0pGHX.exe.log, ASCII 8->45 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 8->67 17 1mgut0pGHX.exe 2 5 8->17         started        21 powershell.exe 25 8->21         started        23 schtasks.exe 1 8->23         started        69 Multi AV Scanner detection for dropped file 12->69 71 Adds a directory exclusion to Windows Defender 12->71 73 Injects a PE file into a foreign processes 12->73 25 powershell.exe 12->25         started        27 schtasks.exe 12->27         started        51 192.168.2.1 unknown unknown 14->51 file6 signatures7 process8 file9 37 C:\Users\user\AppData\Roaming\...\gbHkPcl.exe, PE32 17->37 dropped 39 C:\Users\user\...\gbHkPcl.exe:Zone.Identifier, ASCII 17->39 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->53 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/68985dc9afb662122f34324cd3738b6c6b91b6b046c58d3cab3b350113757105/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 18:23:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
48
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e75ba58f56b634078e2b4e85d12815221518230bed0b7978afcc728b1e209e1
AgentTesla
31a3c2f298b8b235303ecdcbe989f24ddda02a2da072c78cb0c6d0f8e9cd282a
AgentTesla
36dabdaa3e32ea2722834a97e1248f7d82785313eada83cc105931cdb921b897
AgentTesla
63e9e2155d1e91db69ef70f561bb895db40b45d395960cca4ac467c4a454be4d
AgentTesla
6a132f2d0ea6b6e1e791dc4e59f699081a98f42418f51569434e8c7cf0f91dfd
AgentTesla
b38a2ad3c24569507db4067d4c211eb5b008e78ea1da1370b5aa216478867502
AgentTesla
dabba0dc8f8921f74b3c85de6a9ad8f9604a880158fb286acba5a67fd3eba406
AgentTesla
f1f9a09a55fb15d3815a84ab374464b9fe698e28b7fae363d4487c9e4136f3c9
AgentTesla
fd6615af15cd468d22f07e28c49bef1487c276a3e935b56589bef8157da058e1
AgentTesla
+ 14'848 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220217-w1gb6sdad8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b13b0f84db2619bbac3160fe807bc7b940ad44071890dbfd4939169c932d6036
MD5 hash:
d62ca7cc3b980ac363233ca0bcd779b3
SHA1 hash:
179a19894fc3f37c9798c269e92394900a9a77c9
Link:
https://www.unpac.me/results/f6f22e9a-126e-4928-9efe-d3c644a00681/
SH256 hash:
ff0c2fc8bad22a322c1108f0a97423da94d92160e2fdbbdb626eb868053fb924
MD5 hash:
7082e40ed1d73b4fa648bef2659f084b
SHA1 hash:
3c1a6f73d40330184101d8e1db4d485181c72665
Link:
https://www.unpac.me/results/f6f22e9a-126e-4928-9efe-d3c644a00681/
SH256 hash:
d8161db8ae1576c1019f1166a6479fffff8a2b6aabf80992a3864e3dc255615f
MD5 hash:
5b12d5e026465400fd6b68503b453dd2
SHA1 hash:
414a48573e92a550202b498c24749f922177405f
Link:
https://www.unpac.me/results/f6f22e9a-126e-4928-9efe-d3c644a00681/
SH256 hash:
7f0996d7383978d2d07d510ced96614f897de264d84ec27c35a2b7face83402c
MD5 hash:
b61917719ab20f3d4504732aa5fc3387
SHA1 hash:
72fdb3dfa5cdbcad47d7b660e5a4f52a19fb554d
Link:
https://www.unpac.me/results/f6f22e9a-126e-4928-9efe-d3c644a00681/
SH256 hash:
68985dc9afb662122f34324cd3738b6c6b91b6b046c58d3cab3b350113757105
MD5 hash:
eaaa2689756daf3340c3efa22088e90e
SHA1 hash:
b2c8784f044522aef0cc251ee20927a9b61f74f0
Link:
https://www.unpac.me/results/f6f22e9a-126e-4928-9efe-d3c644a00681/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/68985dc9afb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68985dc9afb662122f34324cd3738b6c6b91b6b046c58d3cab3b350113757105

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 68985dc9afb662122f34324cd3738b6c6b91b6b046c58d3cab3b350113757105

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2046534/
Cape
Cape
https://www.capesandbox.com/analysis/242363/

Comments


Avatar
zbet commented on 2022-02-17 18:22:56 UTC

url : hxxp://198.12.91.211/244/vbc.exe