MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6be47a093d94d2a0cbf244526e25c08d28e8169e2fb70ff92824f333b131c206. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6be47a093d94d2a0cbf244526e25c08d28e8169e2fb70ff92824f333b131c206
SHA3-384 hash: c03c74f7d434109c0f3327974b376d41ae0725d2ccff06ea5b371167da7e79285a3ca8c1c378cfb48073cbc66e197ee8
SHA1 hash: 288c9b3cb1a23a11dcf7843a3a27713246fba181
MD5 hash: cd644c1ebc45ee3d06445a91284f1767
humanhash: coffee-cold-chicken-mexico
File name:SecuriteInfo.com.Win32.CrypterX-gen.22959.4131
Download: download sample
Signature AgentTesla
Create hunting rule
File size:797'184 bytes
First seen:2022-10-31 07:06:08 UTC
Last seen:2022-11-01 03:18:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:NMLeAgHtDg5xE1aSM6HNm6BQ9WlGeG1HubXiyr7qnSIVorLb355w3z5LErq:qLW41SBeWG9lubyyrWnS4orX3g39
Threatray 19'441 similar samples on MalwareBazaar
TLSH T19A05C03439EF911DF273AF718BD474EE86AEF763260BE45A109103864B13B81DD9163A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.22959.4131
Verdict:
Malicious activity
Analysis date:
2022-10-31 07:06:37 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/a23a8573-83cd-4309-bb22-9a64d56d1650

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326280/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.22959.4131.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/635f7417736e9d884f0da83f/reports/1a145980-f6f5-4e78-a82b-ee795fde5324/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c418cb7d-c4bb-45f9-8c28-9251a95fbc1e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101478
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 734139 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 31/10/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 7 other signatures 2->51 7 icLFANS.exe 5 2->7         started        10 SecuriteInfo.com.Win32.CrypterX-gen.22959.4131.exe 6 2->10         started        process3 file4 53 Multi AV Scanner detection for dropped file 7->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 May check the online IP address of the machine 7->57 59 Machine Learning detection for dropped file 7->59 13 icLFANS.exe 14 3 7->13         started        17 schtasks.exe 1 7->17         started        19 icLFANS.exe 7->19         started        21 icLFANS.exe 7->21         started        31 C:\Users\user\AppData\Roaming\icLFANS.exe, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\tmp4E16.tmp, XML 10->33 dropped 35 SecuriteInfo.com.W....22959.4131.exe.log, ASCII 10->35 dropped 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 10->63 65 Injects a PE file into a foreign processes 10->65 23 SecuriteInfo.com.Win32.CrypterX-gen.22959.4131.exe 15 3 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 37 api.ipify.org 13->37 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->67 69 Tries to steal Mail credentials (via file / registry access) 13->69 71 Tries to harvest and steal ftp login credentials 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 27 conhost.exe 17->27         started        39 mail.bluemaster.es 82.223.17.94, 49704, 49706, 587 ONEANDONE-ASBrauerstrasse48DE Spain 23->39 41 api.ipify.org.herokudns.com 3.220.57.224, 443, 49703, 49705 AMAZON-AESUS United States 23->41 43 2 other IPs or domains 23->43 29 conhost.exe 25->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6be47a093d94d2a0cbf244526e25c08d28e8169e2fb70ff92824f333b131c206/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 02:42:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=npshucj5stjkbs7sirjg4joaruuoqfu6f63q76jietzthmjryida._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0725c4cfe7eb19106a14377c1062e4382cdcf19b38e90665b3e26b26669de074
AgentTesla
202e4676713e980f9bef2b8b87f34f90cdd2dff657920e928e550eab3d745b58
AgentTesla
35da2bcbc83576ad40864497f224bd79c650fba90157f0e4351a8c13e7b0efeb
AgentTesla
57723ebe18b3371ec8c844fa7a0bc1039b420d2cf56759a2ad3cd087b459989f
AgentTesla
6c0fa98c3efe2e344205ce8ebf89e440100294b7a1d4624f7484c2dadc644b0b
AgentTesla
77e60f86df5027b5cddd14fb1e0acc3e9a2c5456efeea831118d36180358c591
AgentTesla
8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b
AgentTesla
b37d9a54e81fc3feac68afee6c776fea62e111491db1da57456452beabe118ac
AgentTesla
fe4d35aa4b996c11b247ce2eeda07ce6a932172e73b9db9fc00bb2e2f9ac2aa1
AgentTesla
+ 19'431 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221031-hxmswsbbej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/14aa6968-f987-4287-befb-947b17c5b011
Unpacked files
SH256 hash:
d0eeed3bef407577708c22f7a88cc27396d6b1c07299697e3ffc7b701f767997
MD5 hash:
198516b64b614e4122ee39f2c41da030
SHA1 hash:
8011a04ce4a94dab20b72abe1db10b4b02007201
Link:
https://www.unpac.me/results/7ddec876-d3a8-409f-a048-a58577c134bb/
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/7ddec876-d3a8-409f-a048-a58577c134bb/
SH256 hash:
d5cbf4407e577a521a1d0997f07257838c3828d4933ebb3df5509fb601b59da3
MD5 hash:
342683698cd6a940bf548428a94f72a7
SHA1 hash:
7aec215084f73df332caaee4b8c046676da04414
Link:
https://www.unpac.me/results/7ddec876-d3a8-409f-a048-a58577c134bb/
SH256 hash:
6be47a093d94d2a0cbf244526e25c08d28e8169e2fb70ff92824f333b131c206
MD5 hash:
cd644c1ebc45ee3d06445a91284f1767
SHA1 hash:
288c9b3cb1a23a11dcf7843a3a27713246fba181
Link:
https://www.unpac.me/results/7ddec876-d3a8-409f-a048-a58577c134bb/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6be47a093d94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6be47a093d94d2a0cbf244526e25c08d28e8169e2fb70ff92824f333b131c206

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326280/

Comments