MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bec6b5275b9cf30eb41f49d79daaa1848123d93050c979434c16e7f3002263a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	6bec6b5275b9cf30eb41f49d79daaa1848123d93050c979434c16e7f3002263a
SHA3-384 hash:	c007e3077aa7f1d274cfd2a444701d561c1b279d0362c2d0119526d71a3ad82adb44b65680da382f544f538755852e47
SHA1 hash:	806868720aa8be2d77d5673e59cc168f9ea70428
MD5 hash:	1db9176e81632d3a839bee4ae39f2ab3
humanhash:	mississippi-spring-zebra-skylark
File name:	SecuriteInfo.com.Trojan.Mardom.PN.12.30559.12523
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	144'712 bytes
First seen:	2022-08-02 04:37:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	1536:GvMZwBkWq4xtFG+GuEtDM5eeL/23Rxg3eYywBu3PcvCloc/9lCeeFUf:+MiedodGuEtDM5eeL/23RG2Pcg1lC
Threatray	1'999 similar samples on MalwareBazaar
TLSH	T1C8E3E58D765075CFC857C9729AA89C34EA207D77971BC283A01375ADAE2D6C7CF240B2
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	70ccc9b3a9cce070 (19 x Fabookie, 3 x XFilesStealer, 1 x Pony)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295723/

Detection(s):

SecuriteInfo.com.Trojan.Mardom.PN.12.30559.12523.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Creating a file

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/62e8aa4c6336465f2a044a4b/reports/d2dd97d5-3fbe-4e47-ba11-96bb76cf80a8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f3eb8396-1421-46ee-93a9-d09ad1c0dad1

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1044595

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6bec6b5275b9cf30eb41f49d79daaa1848123d93050c979434c16e7f3002263a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-08-02 01:36:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=npwgwutvxhhtb22b6soxtwvkdbebepmtaugjpfbuyfxh6macey5a._file

Verdict:

malicious

AgentTesla

59b646e15716cec57916f75006361b3e369b243918fcd5cc3fffb9be230acda7

AgentTesla

63da7c7f4bf0ab550e7ff73f9ae2f07839f5f701e1187aa4856480c372c7124c

AgentTesla

96c5bf3d91f626f33a0720ce3c1ffa3a27096c8c98e738c89fb200f0bb44a103

AgentTesla

9cecd56c5d9b1ea083ef837edb999f89f1cc620c5923b81d33ddcbb857199018

AgentTesla

baf26fd01ae7499dc6fce1917bd2f61375fe80a570b4f26447c862d088e03ebc

AgentTesla

dcaf120e941d5170bad07fabfc54cb4419021781e34801e88cc6342d447e2bd4

AgentTesla

f9db53d550731012ca850383afa5bdaa9093bb04a15e7dfbe7806acc1041d4cb

AgentTesla

+ 1'989 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220802-e9dh7sbad9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1234239720:AAEAFFQVpwUb9NOAh4rbuhybQ4K0LRMTfJw/sendDocument

Unpacked files

SH256 hash:

5f1c1c4fd20c5834ddacf7cae2b2fc2fb813a2c94c7b2981c5d2659c39263a88

MD5 hash:

e7109365d60dd9c027618041e72b6efa

SHA1 hash:

95cdd881165c2f6d9f9aa5e6db835cceaa92a9ce

Link:

https://www.unpac.me/results/47748841-29f3-4cb5-b420-04075a655f3a/

SH256 hash:

6bec6b5275b9cf30eb41f49d79daaa1848123d93050c979434c16e7f3002263a

MD5 hash:

1db9176e81632d3a839bee4ae39f2ab3

SHA1 hash:

806868720aa8be2d77d5673e59cc168f9ea70428

Link:

https://www.unpac.me/results/47748841-29f3-4cb5-b420-04075a655f3a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6bec6b5275b9cf30eb41f49d79daaa1848123d93050c979434c16e7f3002263a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295723/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample