MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122
SHA3-384 hash:	e0a419ed8ec57ce0d156c82cbd7655b77e52cbd45c9f6df18e625c74081238f8be5efe4911531cb888f59b2c635e7a63
SHA1 hash:	159a9d6b33c1d4ab78b0f305375f9e28ad705d53
MD5 hash:	b2e17fe78d0f2d6d2e699f5c44f51769
humanhash:	muppet-lactose-zebra-potato
File name:	SOA JUNE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	705'024 bytes
First seen:	2023-07-14 06:22:11 UTC
Last seen:	2023-07-14 06:49:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:IPhOjDGQIut7Dd6qwTfyDvHO6eRaYoeY29i3auv75zP12:UOjDz78VfyDvHONRaYhCFzP
Threatray	4'850 similar samples on MalwareBazaar
TLSH	T12DE45C0B39D0295BE42E423F147C6A6CEADED50E466FE924342DD2A3B2F664C0D5D70B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SOA JUNE.exe

Verdict:

Malicious activity

Analysis date:

2023-07-14 06:22:54 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/02b222ff-c2a2-4672-adee-a88bb4baa34b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/418580/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19487.11494.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed replace

Link:

https://www.filescan.io/uploads/64b0e9c7b1d2dc145c1d21a8/reports/16dc3428-d9b1-4de0-8f52-454de851df98/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/43838a2b-6106-47ca-aff9-dad9d794c511

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272920

Signature

Found malware configuration

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-13 15:50:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqu4llw7idm72racjtmo5hwpdgzgueaanweoyp3w6r6hbivncera._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2

AgentTesla

42131014120f6538128d4ca52b1eae8e23a543a5a7c56a42602f8e19fccdafa9

AgentTesla

5aa6f22ed9e46e3b7e82de8db1d7bd6d2a2c0b819820d42303b89df4d31562a6

AgentTesla

73bb3aadb9432efe0971a8211681ed2df1d891997fbcd1add6f4960eb05cda43

AgentTesla

8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e

AgentTesla

8f006585b173e95503af78fe048e5836196340b2e56f3b1b2946a5915e6bb998

AgentTesla

94e0979bf69db22ad543fcaeaf820f651a5ab917c74b6e329f7e9ee020cc7a26

AgentTesla

980bdbac9ae7d494daaf5e30e23656e81fbff319223f766d8c4ae65412d4d03b

AgentTesla

983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da

AgentTesla

+ 4'840 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230714-g5gq6sdc3y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

50b224aa5cbf278ebbd6735f82a453307fac9b9e1ac07f0d908761ced1480ada

MD5 hash:

95a555c0a90b9f7c8dccf5e413bda6fb

SHA1 hash:

e7cbc1cd65d9b80a89656eae39c53d4dfc92fd8a

Link:

https://www.unpac.me/results/a7585011-3041-4f81-8f95-d8b001e77a4b/

SH256 hash:

cfb47bc0e75450721fbab6d7e77319be2ff963baa043b0edbbd485d6f18e6f57

MD5 hash:

0255dca41f11beb051faeaf2df41ca9a

SHA1 hash:

45079d80bbf36a65654d288171b6c0e42fd437f5

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/a7585011-3041-4f81-8f95-d8b001e77a4b/

Parent samples :

0d60b66a4cf05690e7a7afa8a54328fd3b043bb5a77c9c45d59ecdbc8f7af440
37a3df3f3e43cf82060890197d96d5ad5e0b84b0995f1cd70709f96899fe2994
42131014120f6538128d4ca52b1eae8e23a543a5a7c56a42602f8e19fccdafa9
8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
5cc55879af4ec6a5ded72775f9ae99a0f46496b45caaac6b5f58d67dad355f6f
8a8e0e6bbd082c0517424117627d9a6740892357cdf95555150d87f98f39aad7
73bb3aadb9432efe0971a8211681ed2df1d891997fbcd1add6f4960eb05cda43
e3a4d27630c1d1f5f57a8d490047380ffd6f813b6ffa9eb554632ac915a61447
983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da
be84687edad29eae1d7819714c65881c1c8bd2bb9170c58f8b5fe5a34ef2a664
8f006585b173e95503af78fe048e5836196340b2e56f3b1b2946a5915e6bb998
980bdbac9ae7d494daaf5e30e23656e81fbff319223f766d8c4ae65412d4d03b
22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2
94e0979bf69db22ad543fcaeaf820f651a5ab917c74b6e329f7e9ee020cc7a26
cdb512760be3becba1ca6ceaa20786f3428bee9a0037be8a95da3e1910cd067b
1e6d877e28638122cf889cb074d451010ab7aaaab155348d1719c7467e697dac
ad4ef5b118ce9922d0adedc4ee0135aa1bc55a0ce537d7396001cdaf533856b3
d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122
6fb64f7e90516c0003e7cd104a2370a22c5949871bc653067d0100229f8f9717
7b53084fd46b89ffc9c41b0fcaaecc3e55579eef25037e68f1aee62d86528b61
813490a4f54269088113cdf7e413b2c9eae7ebdd9a88a51195b324ec6a0fcd3a
2f2c5ef0fb2db3d362fcb5ebd1ed82b5a73cd36c9c0ab4ae18dd26f225bb3e63
4cf806a71adea5b039528773d5857e5386af8aa61ad773c2d7857c9e23cc6feb
67f50cbee8d146700d13aba555eee7cef1b007947cf5f6dc6c8262b8a0f01c70
cd5661c73868cc4246d7cb01f785447b6c359ded6aaff8e1e62737032ddaa7e8
0ef8f46933f6388ca0374cda300f534802a54343ecade5f00d9cf2f9a6485638

SH256 hash:

e90f157f78729e24a1abe5c163b3e9dfa5b33d9dc54b22c71a3d437a5cf4f9eb

MD5 hash:

251fc5a1f47bf3a8b66ab6e5edfe435b

SHA1 hash:

366fd39c65dfd1b266749b084f3ba83f1d9bcf78

Link:

https://www.unpac.me/results/a7585011-3041-4f81-8f95-d8b001e77a4b/

SH256 hash:

6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122

MD5 hash:

b2e17fe78d0f2d6d2e699f5c44f51769

SHA1 hash:

159a9d6b33c1d4ab78b0f305375f9e28ad705d53

Link:

https://www.unpac.me/results/a7585011-3041-4f81-8f95-d8b001e77a4b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.93

Link:

https://yomi.yoroi.company/submissions/6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.