MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f
SHA3-384 hash: c1ff3c6853389185cb0a0a490ced4046efc51f2c5d5e2a174bcb4e4176f83e970ffa3f8eb06acf8c57c77e515fcdf5c5
SHA1 hash: 742ccb1a0eb5e7521301cf2293a1689748dc44c3
MD5 hash: fe895adeab166572816f8a29de2b50a0
humanhash: carbon-avocado-low-saturn
File name:order 600368142959.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:940'544 bytes
First seen:2023-06-20 07:23:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4V3NBX6Ioc6chPtNfcFD8FrqdIBfK5sMPzI/Z8NeMvnWX:k+IvltNfcFD8FrUIBfK/LI/aeMvnWX
Threatray 3'908 similar samples on MalwareBazaar
TLSH T1C515C4BD69D026B7D475D5B2C16234C9F63F6322B2534D6822D2DEC7866248E37EC80E
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order 600368142959.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 07:35:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72c3e5f7-6b03-48ad-ae89-6eec4d845652

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400908/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.31757.13053.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/649154149d44d31f835bbf9c/reports/548e3f2b-d91d-415d-959c-d08ce1b7c7b7/overview
Verdict:
Malicious
Labled as:
Trojan.Olock.Generic
Link:
https://www.hybrid-analysis.com/sample/69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aea26804-f770-4268-be84-0345919ab9b1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257978
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890999 Sample: order_600368142959.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Antivirus detection for dropped file 2->46 48 14 other signatures 2->48 7 order_600368142959.exe 6 2->7         started        11 cfEFqKU.exe 2 2->11         started        13 My App.exe 2 2->13         started        15 My App.exe 2 2->15         started        process3 file4 30 C:\Users\user\AppData\Roaming\cfEFqKU.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmpCB96.tmp, XML 7->32 dropped 34 C:\Users\user\...\order_600368142959.exe.log, ASCII 7->34 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->58 60 May check the online IP address of the machine 7->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 7->62 64 Injects a PE file into a foreign processes 7->64 17 order_600368142959.exe 17 5 7->17         started        22 schtasks.exe 1 7->22         started        66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 signatures5 process6 dnsIp7 36 api4.ipify.org 104.237.62.211, 443, 49689 WEBNXUS United States 17->36 38 api.telegram.org 149.154.167.220, 443, 49690 TELEGRAMRU United Kingdom 17->38 40 api.ipify.org 17->40 26 C:\Users\user\AppData\Roaming\...\My App.exe, PE32 17->26 dropped 28 C:\Users\user\...\My App.exe:Zone.Identifier, ASCII 17->28 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->50 52 Tries to steal Mail credentials (via file / registry access) 17->52 54 Tries to harvest and steal browser information (history, passwords, etc) 17->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->56 24 conhost.exe 22->24         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f/
Threat name:
Win32.Trojan.Olock
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 01:34:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhlxd3tohmxelfyogzlzs4fiwzrc6i4v62dpkadib5uv22rc4q7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24c833b34f54668f74ebc8f23d79777b766fcc52b7a4006f9b6936b56ef11a17
AgentTesla
3d318fe7e857edb9267b1b826b71027ad24d9872f8540a707f1e2505a43c95af
AgentTesla
4d6e6965c6ab38f3ebd1a2ec242f4226b6807386ce5a1755678e242023d04f7e
AgentTesla
73548862188e8c725343fd2453085ea5e8ad1b78649ac1d6d0e7df9bf308f8ce
AgentTesla
8743e0488e2396c788528f3febac8b7ced15f219750753231918a2b67a40ca8b
AgentTesla
9322aba6565a41f6866f5641f577fc6f7605b131a1ef15d737bb42e029743fa7
AgentTesla
caf42b1f04263f24d4911b5df67dfe700c046af1b1d5e7f299afcd5f698a4db1
AgentTesla
d65f2f9e7f0d7a2151b4dcc7ef0eaa3107006a11db439e846f8bc2e6c50c6f54
AgentTesla
ef30052ac363410d23b70490792ef58d8cb48be9803141003bd5b732ae2d4a31
AgentTesla
+ 3'898 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230620-h8c3tsbh4x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6183516195:AAGroGis7p5fXdvXZSrjdNBybUTdUEGzfz8/
Unpacked files
SH256 hash:
4a6d6155f7bad0ea8dcd35b10e42d310615b5044d5cecf73150e4e4007c1e48a
MD5 hash:
c5e192dbc326f11d192b1b014bda96b0
SHA1 hash:
8ae4704e06d0c554f1a1c717148481910d332a20
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/0d3528cb-0741-4585-a84f-25aa9b71488f/
SH256 hash:
be2e06c47997f01d65fd0512cc66788c1fbe10576ddc2e2b3a0fcd69176f0f78
MD5 hash:
be270ea9ef615d24cfd92998eaa67b91
SHA1 hash:
0c0e66a90fbf812e32c5bb85dc2da0c24a4fbfa0
Link:
https://www.unpac.me/results/0d3528cb-0741-4585-a84f-25aa9b71488f/
SH256 hash:
d78aa757568413439b7c10074618af6dd1081870b6426b7a1562827ae7f3e9d1
MD5 hash:
63cedbe00296fa7cfd4e2f7399f90389
SHA1 hash:
01e389c2f6657f3b19a952f4edbf8a628866f675
Link:
https://www.unpac.me/results/0d3528cb-0741-4585-a84f-25aa9b71488f/
SH256 hash:
69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f
MD5 hash:
fe895adeab166572816f8a29de2b50a0
SHA1 hash:
742ccb1a0eb5e7521301cf2293a1689748dc44c3
Link:
https://www.unpac.me/results/0d3528cb-0741-4585-a84f-25aa9b71488f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8da906c20224d3e4c93fc592fe32f6dd78fe97592adcb10dfe6ff22e03c55259

AgentTesla

Executable exe 69d771ee6e3b2e45970e36579970a8b6622f2395f686f500680f695d6a22e43f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8da906c20224d3e4c93fc592fe32f6dd78fe97592adcb10dfe6ff22e03c55259
Cape
Cape
https://www.capesandbox.com/analysis/400908/
  
Dropped by
MD5 e3f9d668ee149f5ef85aa0e650df8d39

Comments