MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b55487aa7361ed9bf118defae85bba669de4f2b37fd69cb7c6e13bc732aec16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b55487aa7361ed9bf118defae85bba669de4f2b37fd69cb7c6e13bc732aec16
SHA3-384 hash: 53036f54a9a21929df248310e129df250de94efbd6cd4f5121262c54e590d8160ef3f6a7df0d375a4ef0010d6bd211c1
SHA1 hash: 9adf1543aa6cef35b8943142c0a3e33affa34a95
MD5 hash: 9f7a69702e900eb7adc2c90c8c9fa0a3
humanhash: harry-wyoming-robin-california
File name:PO650.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:766'976 bytes
First seen:2022-08-08 08:22:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:WFxgV2iNq+1MtWeWCwlE5wON4coNt/4FQMP1spqWRo4eAwRXIbUDbLDuXk:WFxgV10tWiw2wOLor/4Ftdspq6e9IbUV
Threatray 20'150 similar samples on MalwareBazaar
TLSH T137F4AE0BBF147708C9A76AB5EE0BBDA2A7F61C5D3165D0783E547C0A4AFF301E51242A
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://107.182.129.59/r1/33/inc/2ada0ebc141469.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://107.182.129.59/r1/33/inc/2ada0ebc141469.php https://threatfox.abuse.ch/ioc/841997/

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO650.exe
Verdict:
Malicious activity
Analysis date:
2022-08-08 08:24:24 UTC
Tags:
trojan rat agenttesla opendir stealer
Link:
https://app.any.run/tasks/8dd43843-3744-4520-92aa-803f3a81125d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297099/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f0c864b7eec656279883e4/reports/dd1a4c73-bb16-4ffc-a75f-cbd96e3bff35/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bc940b3e-559e-4b47-a1d1-4d38c350520d
Result
Threat name:
AgentTesla, Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1047779
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680269 Sample: PO650.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 11 other signatures 2->59 7 PO650.exe 7 2->7         started        11 excel.exe 2->11         started        13 excel.exe 2->13         started        15 3 other processes 2->15 process3 file4 39 C:\Users\user\AppData\...\ckSrPrPwSv.exe, PE32 7->39 dropped 41 C:\Users\...\ckSrPrPwSv.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\Local\...\tmp6679.tmp, XML 7->43 dropped 45 C:\Users\user\AppData\Local\...\PO650.exe.log, ASCII 7->45 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 67 Injects a PE file into a foreign processes 7->67 17 PO650.exe 5 7->17         started        20 powershell.exe 24 7->20         started        22 schtasks.exe 1 7->22         started        69 Antivirus detection for dropped file 11->69 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->73 83 3 other signatures 11->83 75 Tries to steal Mail credentials (via file / registry access) 13->75 77 Tries to harvest and steal ftp login credentials 13->77 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 81 Installs a global keyboard hook 13->81 signatures5 process6 file7 35 C:\Users\user\AppData\...\Ulneqxybeynqzl.exe, PE32 17->35 dropped 37 C:\Users\user\AppData\Local\...37zcddivmn.exe, PE32 17->37 dropped 24 Ulneqxybeynqzl.exe 17->24         started        29 Nzcddivmn.exe 1 11 17->29         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        process8 dnsIp9 51 107.182.129.59, 49774, 49775, 80 META-ASUS Reserved 24->51 47 C:\Users\user\AppData\Local\...\excel.exe, PE32 24->47 dropped 49 C:\Users\user\AppData\...\tmpG843.tmp (copy), PE32 24->49 dropped 85 Antivirus detection for dropped file 24->85 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->87 89 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->89 97 4 other signatures 24->97 91 Multi AV Scanner detection for dropped file 29->91 93 Machine Learning detection for dropped file 29->93 95 Creates multiple autostart registry keys 29->95 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b55487aa7361ed9bf118defae85bba669de4f2b37fd69cb7c6e13bc732aec16/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-08 08:23:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnkuq6vhgypntpyrrxx25bn3uzu54tzlg76wts34nyj3y4zk5qla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d34612769ca0bec0bda68a9b182b7477107288b8272f855e6e75bd0b330dcdd
AgentTesla
1d9a5a1ad734aa6cca8a32b8f4e5d16c20582146fc96acaeb39d54b907a2b978
AgentTesla
32a82674cb231436001a0f481cbf4ff966841ea1a08a7127d1cd2e73a6037553
AgentTesla
6099e48acdfc2f116c21d55e3aff1a1b7bc0d4c5841ee5506f762cd66935ca2e
AgentTesla
83a8442f2117669d14593780f08d70dce9ad99cfdf26b827cba2feacc856c49b
AgentTesla
d8c3b2d70e3dd93e07ebb36381043d8763c284602849cb9be5ca22c1e190afb1
AgentTesla
e5097db57c0475b96c038290399f48135c5273c569aa476eb7d8b98c4b92c8f5
AgentTesla
+ 20'140 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220808-j95d5sabf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Malware Config
C2 Extraction:
http://107.182.129.59/r1/33/inc/2ada0ebc141469.php
Unpacked files
SH256 hash:
3866f73069dea845573793e0b61fbbbf70e708a44aad8a3bf48b5fcb65e8c96b
MD5 hash:
9dad7b704000905d62e1b26c8df24507
SHA1 hash:
ab45c6250972a5ab488ebc52b75e0260207875b1
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
SH256 hash:
51fe016dde23790fda4514809e17e798caa11eb644618f33f5acc0fe21ff9086
MD5 hash:
686c8fe892825cf63f321f1dc40af1fc
SHA1 hash:
f02fde8a82b9517a33ddb32d27b6f8bdff7c7d4a
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
SH256 hash:
642d5b8aa52ca35d8386a5b4302aa503d330753426dd950e6c2a47efdbb4b7e2
MD5 hash:
2e85fdecd9837f0895ee6568f97b3cfd
SHA1 hash:
a4df92cf9adfa1c7d26f6d19923cbfa4cbfc596f
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
SH256 hash:
36e1a9e1aa7379f52decbd0a224e267c25a659057f30cbf36be9a0f6327e3a90
MD5 hash:
9b54db4619c60b6e17e4aa56cb184529
SHA1 hash:
9b164b75c71128a69086dfdb816ab5170bc2fef8
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
SH256 hash:
e2d5a055f1f93704d43265df3c767dfd3756ec82e73fb42afaba14b7721b8fbe
MD5 hash:
af01b91eb8dc805b824ca481978f15eb
SHA1 hash:
674fc8e2c8a28d036f3ebdba5de98b623b2ce856
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
SH256 hash:
c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
MD5 hash:
143df79cc6329bb7d28a3914af42bad0
SHA1 hash:
bb40cbe713905da365bdfbfaa76b5afa2711500b
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
SH256 hash:
6b55487aa7361ed9bf118defae85bba669de4f2b37fd69cb7c6e13bc732aec16
MD5 hash:
9f7a69702e900eb7adc2c90c8c9fa0a3
SHA1 hash:
9adf1543aa6cef35b8943142c0a3e33affa34a95
Link:
https://www.unpac.me/results/71f901eb-69da-4459-bd3a-abb67b701db4/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b55487aa736/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b55487aa7361ed9bf118defae85bba669de4f2b37fd69cb7c6e13bc732aec16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/297099/

Comments