MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a11cc4a941a3406dbe63e9f5e643b01fe5bb678f221fec4b94a0a527b444b9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments 1

SHA256 hash:	6a11cc4a941a3406dbe63e9f5e643b01fe5bb678f221fec4b94a0a527b444b9e
SHA3-384 hash:	dcd7ebd0ae8da35d0cedd74d215e91866e64c5173c47021c9cef1b84f0b414c51e68f2e23b15c44778e44d6d05479f67
SHA1 hash:	208bc83ebfd77e476f98250f4c8bf01dcdf01adf
MD5 hash:	cbff1cb89ab14ecbc0a1cdfacaa689e9
humanhash:	failed-nineteen-mango-failed
File name:	cbff1cb89ab14ecbc0a1cdfacaa689e9
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	973'824 bytes
First seen:	2022-11-09 08:28:28 UTC
Last seen:	2022-11-09 14:29:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:x9o0kOjI1+caihEZ3mFiSC1bg/vwwXVNdPIuN0wsXNXZa5MPvmMV/GJmgHuNCi:48nWrZdwuts9XQq/JmF
Threatray	20'458 similar samples on MalwareBazaar
TLSH	T16525BE5666ABCA62F7C107BB91DBDC1047E9B6A306D2EE6BB89443E1F407F42C501B70
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13097/50/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Remittance Slip 103.xls

Verdict:

Malicious activity

Analysis date:

2022-11-09 07:17:18 UTC

Tags:

macros exploit cve-2017-11882 loader agenttesla

Link:

https://app.any.run/tasks/4397050c-9adb-40f2-9b68-612129ecc8a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/331084/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.3905.8556.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/636b64cf83b66bc0f0422882/reports/4be27601-1499-4e27-9e59-a3ae775f8a73/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e37d4fc-db4e-4a1f-99ed-bb35971e4dcf

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1109861

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a11cc4a941a3406dbe63e9f5e643b01fe5bb678f221fec4b94a0a527b444b9e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-09 07:13:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nii4ysuudi2anw7gh2pv4zb3ah7fxnty6iq75rfzjiffe62ejopa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

57723ebe18b3371ec8c844fa7a0bc1039b420d2cf56759a2ad3cd087b459989f

AgentTesla

584bd954035020f5bf4699ff5c1e345b915df35c618aaa85d70d8fd2666a5809

AgentTesla

eb315f25a82f07dac9c40b3eac6db816a46ed3755f79d01a64c1681e148bee82

AgentTesla

f6affd72ae56e2fde50c5c451638940d4089f0e37064fb9bfef5de2d8ae2b924

AgentTesla

+ 20'448 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221109-kdj9rsggem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59

MD5 hash:

404efdeb9931733904da07f96fabeb72

SHA1 hash:

7ce363cd612f1d9a90b33ec196c4d0a49cdaee02

Link:

https://www.unpac.me/results/f67c57f9-ba47-41f0-9de5-01dec76f0a4b/

SH256 hash:

4259231879624a201601fa2cc3668c09a9af91dbaf1f5ff007e7615d83bf846f

MD5 hash:

479418647d432b738fa241dadd6c685f

SHA1 hash:

71c5f89655a14db70176af435aeeeae9b9e1aa59

Link:

https://www.unpac.me/results/f67c57f9-ba47-41f0-9de5-01dec76f0a4b/

SH256 hash:

5b3c58221e72fde97df366726fc295f5c8f5811988f8bc058bbb3c18509759bc

MD5 hash:

63be3c97ebade6add4c710d970371a1d

SHA1 hash:

5e10ceed8ee2c14901d97d2db6b4a55ded0b9ce9

Link:

https://www.unpac.me/results/f67c57f9-ba47-41f0-9de5-01dec76f0a4b/

SH256 hash:

6a11cc4a941a3406dbe63e9f5e643b01fe5bb678f221fec4b94a0a527b444b9e

MD5 hash:

cbff1cb89ab14ecbc0a1cdfacaa689e9

SHA1 hash:

208bc83ebfd77e476f98250f4c8bf01dcdf01adf

Link:

https://www.unpac.me/results/f67c57f9-ba47-41f0-9de5-01dec76f0a4b/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6a11cc4a941a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/6a11cc4a941a3406dbe63e9f5e643b01fe5bb678f221fec4b94a0a527b444b9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 6a11cc4a941a3406dbe63e9f5e643b01fe5bb678f221fec4b94a0a527b444b9e

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2405530/

Cape

https://www.capesandbox.com/analysis/331084/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-11-09 08:28:42 UTC

url : hxxp://23.94.231.154/lee.exe