MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b89b2149a6e472463d744d5915c98aae96980b90653f20704959f2c9476ed9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b89b2149a6e472463d744d5915c98aae96980b90653f20704959f2c9476ed9a
SHA3-384 hash: b95aac48c02057bb4147c3bf218401e06bbf1e857654e35f5f78cc9b6ad8b5b22b6b5a598428839cef9b0dd9ad9cec9e
SHA1 hash: 62cfab2635bf6b8c6eace08e5c3db9205040a6d5
MD5 hash: 6e76d5771fd3de20bbf3c782be162a82
humanhash: stairway-ten-bluebird-quiet
File name:SKM 89426184232.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:726'528 bytes
First seen:2022-11-16 07:34:23 UTC
Last seen:2022-11-16 09:53:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:5qzZfC1KcUWEF+zPrLg07vXjz5g6YCbR8gcpCYrN:5qdq1KtgzPrLDTz5sYZICQ
Threatray 22'364 similar samples on MalwareBazaar
TLSH T115F43A2D79BCF412EF3BA9A70EF6AA4FCC701241121A91071D293BDEE9358763D4D14A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SKM 89426184232.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 07:35:12 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/bc602019-5446-495c-b503-289535e0eea7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334674/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25811.8343.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637492a707c3f5e84a01633b/reports/5ac5c415-337c-4ed8-ba24-61f6ec797239/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95305b8a-e3c2-44cf-83d6-4abd022d2921
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114592
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747288 Sample: SKM 89426184232.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 14 other signatures 2->51 7 HwXGWrYutUR.exe 5 2->7         started        10 SKM 89426184232.exe 7 2->10         started        process3 file4 53 Multi AV Scanner detection for dropped file 7->53 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 63 2 other signatures 7->63 13 HwXGWrYutUR.exe 7->13         started        17 schtasks.exe 7->17         started        35 C:\Users\user\AppData\...\HwXGWrYutUR.exe, PE32 10->35 dropped 37 C:\Users\...\HwXGWrYutUR.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp9024.tmp, XML 10->39 dropped 41 C:\Users\user\...\SKM 89426184232.exe.log, ASCII 10->41 dropped 59 Adds a directory exclusion to Windows Defender 10->59 61 Injects a PE file into a foreign processes 10->61 19 SKM 89426184232.exe 15 2 10->19         started        21 powershell.exe 20 10->21         started        23 powershell.exe 19 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->65 67 Tries to steal Mail credentials (via file / registry access) 13->67 69 Tries to harvest and steal ftp login credentials 13->69 71 Tries to harvest and steal browser information (history, passwords, etc) 13->71 27 conhost.exe 17->27         started        43 ftp.alonsorojasmudanzasnacionales.com 162.213.251.217, 12076, 12086, 21 NAMECHEAP-NETUS United States 19->43 73 Installs a global keyboard hook 19->73 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b89b2149a6e472463d744d5915c98aae96980b90653f20704959f2c9476ed9a/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 07:01:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=noe3efe2nzdsiy6xitkzcxeyvluwtafzazj7ebyeswpszfdw5wna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00ad54ec22a085696d3305781bd92ca95459859b6eaf474f6841a895bb01043e
AgentTesla
1581b1513b20123164ebfa64a4a186bcc2c370ad41d89031cb37a7741adfd573
AgentTesla
286bdb0185504415cabb48bf457625b8c3da92c22132bb4ebcd960b27936e35a
AgentTesla
38eb513c7b5f13dc2253584e86228128153e4cb038b9a5eb6999c2dbf85915ea
AgentTesla
5b03580eb279892ac9a03742ea838ffc55bfde4c4a1edf66a03cceec400c81e2
AgentTesla
623bdc656fae0d7df14f7d3366fecd605499d5ddfb5eca994849d01ec3892878
AgentTesla
89eebbc30f01ee4b99d457ca5c7c5b3514f9e69c57792e9a29d77333b33d9ba4
AgentTesla
d0e3b6ae7c5eeeb3d7a830619b3b11fb9463a1dc5808aad5926eea6fa49c7893
AgentTesla
ebe8c86ca059666af9b093c7755cd912314213ec3fccd4f4efce6fbe1745ee41
AgentTesla
f91175784f25d47d86fc18f403abf1031cf131b981a13f790cce98b002c5ec54
AgentTesla
+ 22'354 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221116-jensxade8v/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e5ae01dc-7ba9-45c5-b7e6-264c3070431a
Unpacked files
SH256 hash:
4b2de6032787eaa21448c11c5868d51b508f2ecbd8c38d40263fb89a51dd1b2c
MD5 hash:
1f4c3f65a16c1b5c4aaddebca58cf6fb
SHA1 hash:
e0d6501d80df8f5ec8004a3ac0265e060d545145
Link:
https://www.unpac.me/results/d8b7b82c-e269-4524-ba76-08c004bce46c/
Parent samples :
d2f993ff59a92848cfc6be4eb2f84423aec3736140da53cdb8fbf36d81c7c2f3
8e520f1ecc9ee00de91d22b0b66dcd59023efa5c8d89812801c36e4362b32539
bbbaabfbbaff1be76997a22ce42b0bba54f1c9579a12c485157d4d1606cc99d9
6287b244e3888711717a3fe8613316fce70dbec3b54dc431ad953ba6f1270cc7
3b104fc01064b1cf703af9e8483e0c81c972c8f9da8c7927efebc1ef6409d22e
cfdb6a52765c4f03471458ce196e160f320cc15223358b9e56266af135895173
f10dd98b11b51294979160959031a2087f00361c546d945d75a4c2fd7fac6c28
3fb98b057620b6aad473c5e6a67c38c601d05272db5128b108c77c22cfb2fce2
ed684b6619d2af10776e9f6e7e61ee30844d968e72f20754cab58c80c7a489af
d40d085b1c2f603ce77a22a4c0fc095b79eb62c477a4f8194576380249f61b99
SH256 hash:
546ca9e7a012a23c034378ea770964f54e1aa385d6d650051d86ca18acac152e
MD5 hash:
72c6e7d3a54775e7326bd4d96f129877
SHA1 hash:
8fd7c23c2591febbf5714b26f63e6338fe2289cd
Link:
https://www.unpac.me/results/d8b7b82c-e269-4524-ba76-08c004bce46c/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/d8b7b82c-e269-4524-ba76-08c004bce46c/
SH256 hash:
1aa73fecf814e63101cf64768e5d89c7f04ed128afbff748b8c3f3534f7860f2
MD5 hash:
45f3139144f428ae61c803d6f6486a76
SHA1 hash:
28da0eff83bdb056691854eb61614c7acde9b2d1
Link:
https://www.unpac.me/results/d8b7b82c-e269-4524-ba76-08c004bce46c/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/d8b7b82c-e269-4524-ba76-08c004bce46c/
SH256 hash:
6b89b2149a6e472463d744d5915c98aae96980b90653f20704959f2c9476ed9a
MD5 hash:
6e76d5771fd3de20bbf3c782be162a82
SHA1 hash:
62cfab2635bf6b8c6eace08e5c3db9205040a6d5
Link:
https://www.unpac.me/results/d8b7b82c-e269-4524-ba76-08c004bce46c/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b89b2149a6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b89b2149a6e472463d744d5915c98aae96980b90653f20704959f2c9476ed9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6b89b2149a6e472463d744d5915c98aae96980b90653f20704959f2c9476ed9a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/334674/

Comments