MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b0b7f653e4aa7ad98b6417cf50934cc6825ccffdcb750baa321536cd8816e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash: 6b0b7f653e4aa7ad98b6417cf50934cc6825ccffdcb750baa321536cd8816e29
SHA3-384 hash: 03fe81d60476626077a08c203910062fe9d1b0aaee3d54448c1fbe87dc3a476dba98e771c0a3530ec8901f41402769b6
SHA1 hash: 165a1b9ce59f2d07bb8ae4ee81200345709007b0
MD5 hash: 75c66bdbd22e4745cf2554712c31bb9e
humanhash: alpha-blossom-zulu-oklahoma
File name:Statement of Account.exe
Download: download sample
Signature AgentTesla
File size:801'280 bytes
First seen:2022-08-05 09:17:47 UTC
Last seen:2022-08-16 06:49:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (31'209 x AgentTesla, 10'508 x Formbook, 5'466 x SnakeKeylogger)
ssdeep 12288:Ni78QCM0vT5XX2sIhKbZK6ZshN2gUDe8jTFa9Md8ClaO2tRaYnrdv7ByMg6SKlpx:jTtT5bIh6sOiMjlmLaYnrZ7BvLlpx
Threatray 19'660 similar samples on MalwareBazaar
TLSH T12F05129936EB9B13CAB84FF2B16522601B34A03F64AAE30E5C857CFB51B1B434751B53
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter @GovCERT_CH
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
3
# of downloads :
269
Origin country :
CH CH
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
Statement of Account.exe
Verdict:
Malicious activity
Analysis date:
2022-08-05 09:19:02 UTC
Tags:
agenttesla

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
–°reating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679169 Sample: Statement of Account.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 11 other signatures 2->46 7 Statement of Account.exe 7 2->7         started        process3 file4 24 C:\Users\user\AppData\...\ObhZOLODRqR.exe, PE32 7->24 dropped 26 C:\Users\...\ObhZOLODRqR.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmp656A.tmp, XML 7->28 dropped 30 C:\Users\...\Statement of Account.exe.log, ASCII 7->30 dropped 48 Adds a directory exclusion to Windows Defender 7->48 11 Statement of Account.exe 4 7->11         started        16 powershell.exe 21 7->16         started        18 schtasks.exe 1 7->18         started        signatures5 process6 dnsIp7 34 x1.i.lencr.org 11->34 36 mail.nikhillogistics.in 11->36 38 2 other IPs or domains 11->38 32 C:\Windows\System32\drivers\etc\hosts, ASCII 11->32 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->50 52 Tries to steal Mail credentials (via file / registry access) 11->52 54 Tries to harvest and steal ftp login credentials 11->54 56 2 other signatures 11->56 20 conhost.exe 16->20         started        22 conhost.exe 18->22         started        file8 signatures9 process10
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-08-05 08:27:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
9210c6577baa3181f7481da9ffcddb6b3c60a9d7e57deebd8f6367dfd003a1f9
MD5 hash:
ed0b3a8123db7ac0f0b89b9129204d6e
SHA1 hash:
ff699d2d147c77cec7026766c4b47d470eae8718
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
SH256 hash:
4b977cebb87c608e41aa70b293d5b8724035a13a5da31360a573c89f53a437c4
MD5 hash:
32ee16a86ccf174ff6d49c8fc4eaea67
SHA1 hash:
af4f5229c0ea0708827c374737dd60c809b632c4
SH256 hash:
9521cde54c736f367b3634fe264f8a1a5b976347af5a6e122e6f1b330595605e
MD5 hash:
ca022c6f2f560678ac236e70db88a259
SHA1 hash:
6e3b4363c4fb78184b298d8d57bca6ef7cb20fe8
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
SH256 hash:
6b0b7f653e4aa7ad98b6417cf50934cc6825ccffdcb750baa321536cd8816e29
MD5 hash:
75c66bdbd22e4745cf2554712c31bb9e
SHA1 hash:
165a1b9ce59f2d07bb8ae4ee81200345709007b0
Malware family:
AgentTesla.v3
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6b0b7f653e4aa7ad98b6417cf50934cc6825ccffdcb750baa321536cd8816e29

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment

Comments