MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69d6ba4ed00ec8b1990fd34b31f2b7abba0e3b711e85a9f0bc11276325d5ddb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69d6ba4ed00ec8b1990fd34b31f2b7abba0e3b711e85a9f0bc11276325d5ddb4
SHA3-384 hash: 0e4736859c42e0fc3e88a593809eda86be21cb1a0208c55d5135c2d28797c3a4431794a04688a55bb760a7759e3636de
SHA1 hash: 7ae007d4bede4f8f751d70f68d63130388f5f8e6
MD5 hash: 7c0803fba1838e2d97452449be48dfa3
humanhash: vermont-speaker-eighteen-kentucky
File name:7c0803fba1838e2d97452449be48dfa3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'205'248 bytes
First seen:2021-06-28 11:47:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:AeVwuo3gb10dWSPmjuzO4WYgFssYFjAaey3PHskD9cBQTO9W5+EBTaltZZTM:1Nx0QS+ju9qFMjADy3PMkBeQT55+v
Threatray 6'165 similar samples on MalwareBazaar
TLSH 10457EA0B5D088A6F8BB0EFD9D35643020ABBE5D5965800C55B9774A27B334390EBF1F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.babyjem.com.tr:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7c0803fba1838e2d97452449be48dfa3.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-28 11:47:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8dd4ebf0-0213-48c9-927b-8701f0b9d937

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168560/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.889.30313.9683.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/564582eb-f4a0-45e1-88bb-00270bb45239
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808776
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441185 Sample: Vb5jNvACmY.exe Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 26 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->26 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 7 other signatures 2->32 6 Vb5jNvACmY.exe 3 2->6         started        10 tnvLnx.exe 3 2->10         started        12 tnvLnx.exe 2 2->12         started        process3 file4 20 C:\Users\user\AppData\...\Vb5jNvACmY.exe.log, ASCII 6->20 dropped 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->34 36 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->36 38 Injects a PE file into a foreign processes 6->38 14 Vb5jNvACmY.exe 2 5 6->14         started        40 Multi AV Scanner detection for dropped file 10->40 42 Machine Learning detection for dropped file 10->42 18 tnvLnx.exe 10->18         started        signatures5 process6 file7 22 C:\Users\user\AppData\Roaming\...\tnvLnx.exe, PE32 14->22 dropped 24 C:\Users\user\...\tnvLnx.exe:Zone.Identifier, ASCII 14->24 dropped 44 Tries to steal Mail credentials (via file access) 14->44 46 Tries to harvest and steal ftp login credentials 14->46 48 Tries to harvest and steal browser information (history, passwords, etc) 14->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->50 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/69d6ba4ed00ec8b1990fd34b31f2b7abba0e3b711e85a9f0bc11276325d5ddb4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 07:44:25 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhllutwqb3eldgip2nftd4vxvo5a4o3rd2c2t4f4cetwgjov3w2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
125caafa4c7faba98d28351be9df1d207a983137e2d3e483504dc0fb5433ea94
AgentTesla
30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713
AgentTesla
379cb7e16563b36644d8ffee8ae650e59fff7241835f129d9b5436279d90a6e5
AgentTesla
48869ae1d568baea4ea1ffba9f9e24819bb7a667052c7fde0e90d4d8ef7dde4f
AgentTesla
5a3f9d251d83e67be84a067e354a950596478b1fc2cd6d6d1cbb07f6ca57b557
AgentTesla
7c38652e82dd9a34d66d7f2086b55bd88db405974eed27dc8ac5ba3f15616729
AgentTesla
bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857
AgentTesla
c50594e26bf475268109c2843864ef12acaead42dba369abbff672f2e0db55bf
AgentTesla
c5808930a7bae7680c98a7ad4e5501b23c3cd1095d2ec4a7ea874a28e985dfd5
AgentTesla
e49ea9c326ce0cfcf7c4795428cda9d52da65c670a31748b1cb067b14d6a3c83
AgentTesla
+ 6'155 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210628-vmx4y5npb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/f164cd02-5237-44e9-8de4-2170f76b25b7/
SH256 hash:
f1ac69881d2e449d46e8de5f49d618c8c3bbcc6a2b750a1a533a09737fc95af7
MD5 hash:
c3b445929ca2ec41b2a81cadd1b4d941
SHA1 hash:
c8335a20d333c5ec9fb8a43bb9129dc4014b6ff3
Link:
https://www.unpac.me/results/f164cd02-5237-44e9-8de4-2170f76b25b7/
SH256 hash:
3b87cf1c201151e4db9b6a6be9e40e108cc40a3426e5780923947c7f60b0e2c3
MD5 hash:
d0d3039c4aee47ebb0f229cf6444b8ad
SHA1 hash:
a42c79ed30f958d22fdb8f3924e135e53acee937
Link:
https://www.unpac.me/results/f164cd02-5237-44e9-8de4-2170f76b25b7/
SH256 hash:
69d6ba4ed00ec8b1990fd34b31f2b7abba0e3b711e85a9f0bc11276325d5ddb4
MD5 hash:
7c0803fba1838e2d97452449be48dfa3
SHA1 hash:
7ae007d4bede4f8f751d70f68d63130388f5f8e6
Link:
https://www.unpac.me/results/f164cd02-5237-44e9-8de4-2170f76b25b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69d6ba4ed00ec8b1990fd34b31f2b7abba0e3b711e85a9f0bc11276325d5ddb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 69d6ba4ed00ec8b1990fd34b31f2b7abba0e3b711e85a9f0bc11276325d5ddb4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1407071/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168560/

Comments