MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be
SHA3-384 hash: 651f307821baad05d6dc53e1871302616307d80d64b4e6dd69fabb2a1cd21c528299be3de9e9f3b3d3fc7971f86950b8
SHA1 hash: ee9e1897542ff3fb521ba9d473648c63ab94bdf4
MD5 hash: af56ac5662931fba5b4a155c0bdb7176
humanhash: grey-grey-island-alpha
File name:Request for pl.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:601'600 bytes
First seen:2023-04-11 17:39:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:BnBYW5Viz/dUGSuTZKUcuV6PBPRqUusjsW7OC7ZjQyF9qU0r:BnBRaC+ofuYQWDC
Threatray 173 similar samples on MalwareBazaar
TLSH T139D4011D6274DB61E81C0FF4545560826378BAA9F031EA98ACE333E746B2FE254493E7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c198989999e9b179 (16 x SnakeKeylogger, 13 x AgentTesla, 8 x Formbook)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for pl.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 17:40:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6abbb045-929d-4fc3-9689-68b15a80b082

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381536/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64359b74c41e8bc6a3b0f275/reports/092922cb-d784-4dae-af17-b50eda3010aa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df6ab35e-fdae-4cff-8beb-b74de990ccbc
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211994
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 844910 Sample: Request_for_pl.exe Startdate: 11/04/2023 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 4 other signatures 2->68 7 Request_for_pl.exe 7 2->7         started        11 uSptTSLAHq.exe 5 2->11         started        13 bUhSoz.exe 5 2->13         started        15 bUhSoz.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\uSptTSLAHq.exe, PE32 7->52 dropped 54 C:\Users\...\uSptTSLAHq.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpDCAA.tmp, XML 7->56 dropped 58 C:\Users\user\...\Request_for_pl.exe.log, ASCII 7->58 dropped 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 7->80 82 Adds a directory exclusion to Windows Defender 7->82 17 Request_for_pl.exe 2 10 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        84 Machine Learning detection for dropped file 11->84 86 Injects a PE file into a foreign processes 11->86 26 uSptTSLAHq.exe 11->26         started        28 schtasks.exe 11->28         started        30 bUhSoz.exe 13->30         started        32 schtasks.exe 13->32         started        34 bUhSoz.exe 15->34         started        36 schtasks.exe 15->36         started        signatures5 process6 dnsIp7 60 host43.registrar-servers.com 198.54.116.10, 49697, 49698, 49699 NAMECHEAP-NETUS United States 17->60 48 C:\Users\user\AppData\Roaming\...\bUhSoz.exe, PE32 17->48 dropped 50 C:\Users\user\...\bUhSoz.exe:Zone.Identifier, ASCII 17->50 dropped 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->70 72 Tries to steal Mail credentials (via file / registry access) 17->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->74 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        44 conhost.exe 32->44         started        76 Tries to harvest and steal browser information (history, passwords, etc) 34->76 46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2023-04-11 17:39:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nh5blv3soxi5aob7nipmoe3zrgrzf7qxauglsdzwoduoqnhzgg7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122
AgentTesla
1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
AgentTesla
44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc
AgentTesla
578873c16060e04fcfe43f9c9c04d2779a09a7566b3b4e97c1b18d87ac381057
AgentTesla
73d18d7b6bd92fa3e85db713d39f932c483c0317607b93a2b31845d4e703a6a2
AgentTesla
7e8283583026a288a16c98682ce3cf18308f78cb08cebf3dd6b3376aa7089733
AgentTesla
8a7ad0ac9a02dffbfd56debb206f3ab221974ef81540861409ffc412873d3da6
AgentTesla
d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
AgentTesla
e2c40dfbb54a5fe183a97cb7be58ee20969e9f0f7744df829f2b02619fc529e2
AgentTesla
e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a
AgentTesla
+ 163 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230411-v8vn4aea49/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/8133cb9f-ccc7-4e0d-8665-e9b517b3db56/
SH256 hash:
1c57693ee1f7c6cf03a186442e148d61e8287bfe48c326c768637038c3f0f2dd
MD5 hash:
942d787ec6ce307b49f47d8c186a01ed
SHA1 hash:
90eb264b10bf5f03e0113d0f97bdeb70daf99dd0
Link:
https://www.unpac.me/results/8133cb9f-ccc7-4e0d-8665-e9b517b3db56/
SH256 hash:
dc9e4f5405434e16b403587e96c36ca90a5c22a74bc54f78d93630947b755f74
MD5 hash:
bb8d6810e174cf9e73c3d5e8c1e99942
SHA1 hash:
31432bd0b5fdaf00beb8aea44def7d5c6e6c6bcc
Link:
https://www.unpac.me/results/8133cb9f-ccc7-4e0d-8665-e9b517b3db56/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/8133cb9f-ccc7-4e0d-8665-e9b517b3db56/
SH256 hash:
d986528110fb92252dd96dc95203829e358f77920de93161364fa33bc2ce094f
MD5 hash:
01ebfcdda00cb060b7c346dbdff1fb19
SHA1 hash:
106b578f75b21b36fc1573f00e5d6ec7f051f92c
Link:
https://www.unpac.me/results/8133cb9f-ccc7-4e0d-8665-e9b517b3db56/
SH256 hash:
69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be
MD5 hash:
af56ac5662931fba5b4a155c0bdb7176
SHA1 hash:
ee9e1897542ff3fb521ba9d473648c63ab94bdf4
Link:
https://www.unpac.me/results/8133cb9f-ccc7-4e0d-8665-e9b517b3db56/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69fa15d77275/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/381536/

Comments