MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9
SHA3-384 hash: 8b209746f020c2246ed933c9afe837af97f88f6f5efbc7371251e8c22dca7207c391b87a87c737b60fad29be44d2685f
SHA1 hash: 7dbcff253f08babfb45f7254ccfee445da3502ad
MD5 hash: 5f19da54cd1ddcef58de1e0bdf595459
humanhash: moon-fillet-yankee-salami
File name:5f19da54cd1ddcef58de1e0bdf595459
Download: download sample
Signature AgentTesla
Create hunting rule
File size:752'128 bytes
First seen:2023-10-18 17:23:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:fNau26+X/E7Y9F0lIw7iCZJEz6iSV1rrBuu2SBEctPv3pN9Ld0xT/VR3iXX52iGC:FaueRIXZalSMSBEctPv
Threatray 362 similar samples on MalwareBazaar
TLSH T15FF4DFAC3510B6DFC817C9368AA86C64AA206C76570BC207A05736EDDE1D6EBCF145F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PACKING LIST-#-COMMERCIAL INVOICE-E2023-002.xls
Verdict:
Malicious activity
Analysis date:
2023-10-18 16:06:04 UTC
Tags:
opendir exploit cve-2017-11882 loader stealer agenttesla
Link:
https://app.any.run/tasks/76d26a9a-7f9d-46d1-aec3-7f851fa090ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17605.6970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/653014b52bf8b9cdc2774010/reports/3d0d7823-babf-475d-a735-54cd3623b447/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fab2e92d-a1c8-4c1e-b265-b0bd201548f7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328267
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328267 Sample: ypTqJeb2P6.exe Startdate: 18/10/2023 Architecture: WINDOWS Score: 100 36 mail.obmindia.com 2->36 38 api4.ipify.org 2->38 40 api.ipify.org 2->40 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 8 other signatures 2->52 8 ypTqJeb2P6.exe 7 2->8         started        12 xVhCNiIwzbhrO.exe 5 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\xVhCNiIwzbhrO.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmpB3EA.tmp, XML 8->34 dropped 54 Detected unpacking (changes PE section rights) 8->54 56 Detected unpacking (overwrites its own PE header) 8->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 66 2 other signatures 8->66 14 ypTqJeb2P6.exe 15 2 8->14         started        18 powershell.exe 20 8->18         started        20 schtasks.exe 1 8->20         started        60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 22 xVhCNiIwzbhrO.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 42 mail.obmindia.com 85.187.128.58, 49707, 49709, 587 A2HOSTINGUS United States 14->42 44 api4.ipify.org 64.185.227.156, 443, 49705, 49708 WEBNXUS United States 14->44 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->68 70 Tries to steal Mail credentials (via file / registry access) 22->70 72 Tries to harvest and steal browser information (history, passwords, etc) 22->72 30 conhost.exe 24->30         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9/
Threat name:
ByteCode-MSIL.Spyware.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 08:02:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 23 (78.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlg7y7mdmw2oobufhfeqpjqoddvmdqivy5uzwnsoxkrc5hbbqp4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28df40eb3104e2feb9fe3b1e7915d245abbd70abc6523756a61617731b8d8ada
AgentTesla
32812b32bcd108fe5d4322071ae981c09366c7e424e788db406d7f850b4d91fc
AgentTesla
34c7377e5b187edf6d660e7df34b68b968940b6de1399c2f4a3e5675099139f4
AgentTesla
41ba24841b5058d02d56f6e4bd187bd7c9f6ece97f38c682a27bfc26748e4c5f
AgentTesla
7a3b69d2da752d5b7be89edc1c1b71393d204915e91fc45d623ed9f61399dd92
AgentTesla
897a97b958884456ec4bc6222c29db3057ab0df05c31de0ad02fa1b0ab6a4730
AgentTesla
c7917d3ebb2c276113548fdfc4dec0b4db97145b9e687d3177248f1b675800fc
AgentTesla
ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31
AgentTesla
fec2fc59ff0deda9141200d10606ec0314a62f18a5b479e6438a13d8808d58ca
AgentTesla
fffc596389cada3bd1e1d1659029e607e14320cbdd126de7fdbe33b99f9c59d7
AgentTesla
+ 352 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231018-vypp4aac66/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
887c1868b2035053475d59246536ddd62c27337ec9f013d6dfe6c995e8eddea0
MD5 hash:
5bb973a00cee0e6c57b856335112abc7
SHA1 hash:
fe1e343446b8eb10b55d2a73e9f5060b375275b7
Link:
https://www.unpac.me/results/c9c2d9d6-485e-4a63-8ee9-e9ef9d4c3f4e/
SH256 hash:
83504e4957b6a912f212206d84c5a30c8878ff864359700e69f73586c19cc098
MD5 hash:
3503951190f52faa6b1e6860b82e0f3b
SHA1 hash:
eb5ebba6411b525114ee1fa1ede005bf6a3b70f8
Link:
https://www.unpac.me/results/c9c2d9d6-485e-4a63-8ee9-e9ef9d4c3f4e/
SH256 hash:
01aca1e4faa1e531066cc4741c367b13655a263ac75eebcc4b633dee1a845ca0
MD5 hash:
7ec09297e63772995d643ef41179f03c
SHA1 hash:
d60f688c6741baf57e3f4eb3aead58625b347376
Link:
https://www.unpac.me/results/c9c2d9d6-485e-4a63-8ee9-e9ef9d4c3f4e/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/c9c2d9d6-485e-4a63-8ee9-e9ef9d4c3f4e/
SH256 hash:
0fec508c14eee01d9b12546efe4498e73250c743b6d3aa6930b4a43df35c3aa7
MD5 hash:
c086ef628caf638d338f9177541ab1d1
SHA1 hash:
0d32a4ac36642dc0de88a3f554a8982165c847c2
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/c9c2d9d6-485e-4a63-8ee9-e9ef9d4c3f4e/
Parent samples :
f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114
6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9
SH256 hash:
6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9
MD5 hash:
5f19da54cd1ddcef58de1e0bdf595459
SHA1 hash:
7dbcff253f08babfb45f7254ccfee445da3502ad
Link:
https://www.unpac.me/results/c9c2d9d6-485e-4a63-8ee9-e9ef9d4c3f4e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2721996/

Comments


Avatar
zbet commented on 2023-10-18 17:23:17 UTC

url : hxxp://107.172.31.18/3c3/audiodgse.exe