MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6912b037f982a7f15515397d5acad1f246bb27d21db87439433773149edcac18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6912b037f982a7f15515397d5acad1f246bb27d21db87439433773149edcac18
SHA3-384 hash: c81a909d61e69173692ddd2c83096d04239f09120a947bbcd2ee9d1286f303daba8a2b38f5797cd9a9f67bcadc792e85
SHA1 hash: 1669129fbdb6db9961880e1eb141f27a333a1666
MD5 hash: 554a40726167555954ffb9331b339ddc
humanhash: speaker-quiet-timing-uncle
File name:554a40726167555954ffb9331b339ddc
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'798'144 bytes
First seen:2023-08-25 04:38:40 UTC
Last seen:2023-08-25 05:32:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ca28186d68c9a22a0e816e570aac96b (4 x RedLineStealer, 1 x AgentTesla)
ssdeep 24576:odJvYOQ9jN9cDubeOxrV/J8BlyMoIDURYkv79:odI9jN9cD8eaJ2lyMBg
Threatray 21 similar samples on MalwareBazaar
TLSH T1DB856B2178808131EEE710B7C6FDB829411EE1B4272755CB76FC57EEC7706E1AA32686
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
368
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
554a40726167555954ffb9331b339ddc
Verdict:
Malicious activity
Analysis date:
2023-08-25 04:40:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9a470f81-1abe-491b-a336-facd908d8b66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444646/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25663.7946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
Reading critical registry keys
Creating a file in the %AppData% subdirectories
DNS request
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108535/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin redline
Link:
https://www.filescan.io/uploads/64e83067b3b7d7c782cf3d47/reports/27414322-7f09-4ff0-ab62-031152f79118/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6912b037f982a7f15515397d5acad1f246bb27d21db87439433773149edcac18
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b87b1482-b1c1-4cdf-a706-47081b16384b
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1297155
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6912b037f982a7f15515397d5acad1f246bb27d21db87439433773149edcac18/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 15:29:15 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nejlan7zqkt7cvivhf6vvswr6jdlwj6sdw4hiokdg5zrjhw4vqma._file
Verdict:
malicious
Similar samples:
2439f74bc9e25492aba7b74e9777554c580fdcc8eb2a1d4cbe1fd83b7839c777
AgentTesla
4004e75b14a77bcd4a33f8d518522d13242180509e26a05c9217bd621fe20c7d
AgentTesla
577e25a072c7f933832e4d9b73bd806bf77fa56207f3c12384d4bebd03de3d7d
AgentTesla
5e8671453cab8ce33ccabb63e497b293526d955dcda009ada9b4756a1076e8d6
AgentTesla
680b9f5fe758d33fe29491c3b071d5b0cce2bc8d941382a58670b632a8f51eba
AgentTesla
96dd07bd64cbe4630378e1fedf380db4acce8e0fad4a3f650126fda5e4b8fe2c
AgentTesla
ef18e6f222c2c09b7fe21e19ddf9533510deae77e51e63d3c24a9f46e8701c82
AgentTesla
f74a35d89cbb249232a46462f0bc9b1855951cd0fd0ad149341218d8b99c2e38
AgentTesla
fb14388a70ce830ec47c12a68af6a3cb6df6e994a34e80528de176eab62b3ffd
AgentTesla
ffec60c04fbfc5fc53b99a9133d7e4432125622f25605ec0d94a413548a48e17
AgentTesla
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230825-e9yt5sah2z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
71439753c93301176e8989b629fe1bbb1d1a14c00a9c7168ce534d996e6235c3
MD5 hash:
bf250b0d98af57d4a60b60e64fbb9811
SHA1 hash:
e9c4a48ab1399bb3d957273e9cef55521001489e
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/c6af4c84-2474-4ed8-97e6-80a272b04cea/
SH256 hash:
6912b037f982a7f15515397d5acad1f246bb27d21db87439433773149edcac18
MD5 hash:
554a40726167555954ffb9331b339ddc
SHA1 hash:
1669129fbdb6db9961880e1eb141f27a333a1666
Link:
https://www.unpac.me/results/c6af4c84-2474-4ed8-97e6-80a272b04cea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6912b037f982/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6912b037f982a7f15515397d5acad1f246bb27d21db87439433773149edcac18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 6912b037f982a7f15515397d5acad1f246bb27d21db87439433773149edcac18

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2706893/
Cape
Cape
https://www.capesandbox.com/analysis/444646/

Comments


Avatar
zbet commented on 2023-08-25 04:38:41 UTC

url : hxxp://193.233.255.9/lend/a15pupoq0.exe