MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d
SHA3-384 hash: 368bfcf82d2120dfdfc71ee1915494d90b5ee22cac26e0fec79dc68fcbbd39fff1736247de44c07ab96274096c7a358f
SHA1 hash: bcf5a35139086846442c3431b388dd7a8ae76429
MD5 hash: 1c86caaf667d408ed5f1e847accdbd03
humanhash: video-enemy-juliet-oranges
File name:documentpau.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:772'096 bytes
First seen:2023-10-17 13:11:21 UTC
Last seen:2023-10-17 13:39:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:1MYnQ3j67SESV1eXl8OhA90W+xpWokahBnz/OlfgHc6fWlh2q718BMHHBngz+bQO:1B3xpMah5+g8k3cEyHmz9qhv2Uz0
Threatray 79 similar samples on MalwareBazaar
TLSH T1B7F4D044BBD39250F27A49B90BD9A990C61F6F162E03CA092E8633DB4F31BB75510FE5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 62d198bcb6bef870 (1 x AgentTesla)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
documentpau.exe
Verdict:
Malicious activity
Analysis date:
2023-10-17 13:14:24 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/8093448b-0c5c-4018-b2a8-2a7b91f6d5b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455340/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61718.3707.16882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Creating a window
Forced shutdown of a system process
Query of malicious DNS domain
Stealing user critical data
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/652e8826a29a700213a4347f/reports/1d4a5faa-d13f-44c7-9e01-aaff5e38d572/overview
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/60f7948e-813f-45fb-a4e8-03043f786897
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327281
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Copy file to startup via Powershell
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1327281 Sample: documentpau.exe Startdate: 17/10/2023 Architecture: WINDOWS Score: 100 32 softwarez.online 2->32 34 product-secured.com 2->34 36 5 other IPs or domains 2->36 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 14 other signatures 2->48 8 documentpau.exe 3 2->8         started        11 adobe.exe.exe 3 2->11         started        signatures3 process4 signatures5 50 Bypasses PowerShell execution policy 8->50 52 Writes to foreign memory regions 8->52 54 Allocates memory in foreign processes 8->54 56 Injects a PE file into a foreign processes 8->56 13 MSBuild.exe 15 12 8->13         started        17 powershell.exe 13 8->17         started        20 MSBuild.exe 8->20         started        22 MSBuild.exe 12 11->22         started        24 powershell.exe 11 11->24         started        process6 dnsIp7 38 product-secured.com 179.43.183.46, 49745, 49746, 49749 PLI-ASCH Panama 13->38 40 api4.ipify.org 173.231.16.77, 443, 49744, 49748 WEBNXUS United States 13->40 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->58 60 Tries to steal Mail credentials (via file / registry access) 13->60 62 Installs a global keyboard hook 13->62 30 C:\Users\user\AppData\...\adobe.exe.exe, PE32 17->30 dropped 64 Drops PE files to the startup folder 17->64 66 Powershell drops PE file 17->66 26 conhost.exe 17->26         started        68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->68 70 Tries to harvest and steal browser information (history, passwords, etc) 22->70 28 conhost.exe 24->28         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 04:25:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nteuv5zhrgimrhwxi3v4tf2z3r6yi7h43u6ngj6rlgeljcpd4woq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b282c5279640f86929276ce1a52be1ec7e892701954362e5568f254101880b5
AgentTesla
12b2fba3e9d8b5d287e3d9e6fb6fe2ed7f1652bce0af56d5dabf93c38fbf723b
AgentTesla
1d0a887a3854e98591d1f6b0fc2cdf986d032efad809323223949548860107e8
AgentTesla
493e3d54159cd3ebde6aa0b5216ddcb14863b4b064bb80c654353838926d191d
AgentTesla
6430cbc0e6f2b70a615188a247f4bbd049c8ef133c8522cc04b57bee370cbebf
AgentTesla
9551b8ab0bc6b210d632f4e4d77238f1ba8ddaefb6e8728c579773ce9eed963e
AgentTesla
a733065ba4e8987727892b1c9ff5e562624385b175ed2e80af74c1fc4579bd58
AgentTesla
e579952e0a6c558c001274aa13e6ac8297a3991497f0163917e6db3a37430f83
AgentTesla
ecade566a9d6d611fe4ee178d686516aad0c5b0af39d07b8e4d9e7900bb3aec8
AgentTesla
fb5a97acf9b392addd2c222672ee4d97b6d1a39e6877734db1cb012f6a356793
AgentTesla
+ 69 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231017-qfg53sdf68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
AgentTesla
Unpacked files
SH256 hash:
d35a425f1d7625dec54b94486a1539be07fbb019032faa3818028786f7e6eccf
MD5 hash:
38195fbb7273b0282d130dc945897516
SHA1 hash:
b79ddcbf427c565c4f5ef2f246ddd58ac00a3329
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9d6d396a-4a0e-4fb7-8f97-f8ce348e69e2/
SH256 hash:
09ececbaa5026f53ae30757c00d5d9f283ee20e2a1ac494294b5ae595284b54c
MD5 hash:
c998c84ab901c5e2f328e16a947369af
SHA1 hash:
4d44f2f7eb548f3c771218b6559e6e94b2ace940
Link:
https://www.unpac.me/results/9d6d396a-4a0e-4fb7-8f97-f8ce348e69e2/
SH256 hash:
65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3
MD5 hash:
848b847cd19805d19235b5acb8ef2bef
SHA1 hash:
38100751a4ae45a143232cbacf9bb441b31fb211
Link:
https://www.unpac.me/results/9d6d396a-4a0e-4fb7-8f97-f8ce348e69e2/
SH256 hash:
6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d
MD5 hash:
1c86caaf667d408ed5f1e847accdbd03
SHA1 hash:
bcf5a35139086846442c3431b388dd7a8ae76429
Link:
https://www.unpac.me/results/9d6d396a-4a0e-4fb7-8f97-f8ce348e69e2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cc94af72789/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/455340/
  
URLhaus
https://urlhaus.abuse.ch/url/2721626/

Comments