MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b
SHA3-384 hash:	02b406ce990e3ab521f39da43c36ce739ec65caa77a68d0f41b502b32767b041c4afb81d5768053e58c3a00b19ab96ef
SHA1 hash:	f16bd7721b7bbb3935f30e8f9828e3759a468e84
MD5 hash:	c58d3fc97a370549da6c5242c87572d6
humanhash:	neptune-alabama-nebraska-king
File name:	SecuriteInfo.com.Troj.Krypt-TF.20337.6044
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	990'720 bytes
First seen:	2022-12-09 05:27:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:iWfqJiG6zim2oGzdpLi7L5ymTu8CYTTane/YdigbRgSpF:i1IG6mAGzfLEL5BvT+vogbRg
TLSH	T11D257DD5ABF2A026F98F72912418769DDC35BD43374BE19627723B1082D48FFB6A8443
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/344583/

Detection(s):

SecuriteInfo.com.Troj.Krypt-TF.20337.6044.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6392c763f6e448d42df7c150/reports/4b2b9de0-5912-45bc-b489-1655abe7ffb0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ab8a5040-b20d-48b8-ba87-613c71f9d03a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1131220

Signature

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-12-09 05:28:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ngbjmhbucobfyd3rl7cucuij7qyhevtxev2e32bydqvzameibznq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221209-f51cvafd5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5792273343:AAEA9U7DCI4qHTq4iHfT5XkdD5IEsA0KtTo/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bb10919e-753d-46a9-ad92-58b28ed61000

Unpacked files

SH256 hash:

61678422601aae2f3b3a9a572ea8df2f6cd8fb256af9c944fd6733e909d4000f

MD5 hash:

3aa2dc86a2aabbd8459228d0b5be165d

SHA1 hash:

cb5250fc6335e90b1f385d89b2c0fa0925308115

Link:

https://www.unpac.me/results/834db8d3-45b2-43e6-8d03-8313008eb904/

SH256 hash:

e9ecd50331eb4649bb2084fe56d7bcc5ef01c0cc72e91752864898b8f947e52d

MD5 hash:

f1bf8f18985db90c20e8033ffa14a5b0

SHA1 hash:

99112064534267cafb64b6864e665201757f8ba7

Link:

https://www.unpac.me/results/834db8d3-45b2-43e6-8d03-8313008eb904/

SH256 hash:

688602735441ca82fa7dd93c61030859e3f957fa9ee4020c66254056881a44d4

MD5 hash:

c9967ef1552fe0f811e70190705f399d

SHA1 hash:

914bb8bf9eb17a8d286c7c00e32e92ee07eb359b

Link:

https://www.unpac.me/results/834db8d3-45b2-43e6-8d03-8313008eb904/

SH256 hash:

922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50

MD5 hash:

1ecb63625d636b0b8f8ebdece9fa80c3

SHA1 hash:

5623d5ad21fc63893011bae7e4709c51219fcc1c

Link:

https://www.unpac.me/results/834db8d3-45b2-43e6-8d03-8313008eb904/

SH256 hash:

4a7ec6d1287077faa821e84ae7c930e5100bf2f793ff2b803a430d7bc04b8744

MD5 hash:

a04d8e56be6540499cc1808813107552

SHA1 hash:

1ac35020e04bb2257d2289f9891c57219428f679

Link:

https://www.unpac.me/results/834db8d3-45b2-43e6-8d03-8313008eb904/

SH256 hash:

6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b

MD5 hash:

c58d3fc97a370549da6c5242c87572d6

SHA1 hash:

f16bd7721b7bbb3935f30e8f9828e3759a468e84

Link:

https://www.unpac.me/results/834db8d3-45b2-43e6-8d03-8313008eb904/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6982961c3413/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344583/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample