MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cfbf205225e6ba71eb7f9d214e2d93d932946eb7ff5821f9027c589a4e2ae77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cfbf205225e6ba71eb7f9d214e2d93d932946eb7ff5821f9027c589a4e2ae77
SHA3-384 hash: 8e29918fc83e1e925fe0e4cf153e43188706a633b41812cdfac90abef1b44ea1cca2a245fd3aec577cbedc24bbf45b4f
SHA1 hash: 475ed41b43d4a34b86961c810a3dfb6d44e35bc6
MD5 hash: 4a84e3617d6d07773c49579ae91dede8
humanhash: spaghetti-mockingbird-ack-indigo
File name:ARRIVAL NOTICE WHL050C538368.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:681'984 bytes
First seen:2022-07-04 03:18:03 UTC
Last seen:2022-07-04 10:00:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:gRl1aOdqKWOdneTKFXxrGswX2bT3rKxRygORtrTq:5KWqeTKBRGjMT3OxggORtrTq
TLSH T101E4F12DEFE5CD12C6785633C4D2653843B1994EA222E71B718D13B51E833A7E8C66CE
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.31263.24809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/62c25c6b76fa5a59944051c3/reports/6f80ac75-23f3-454f-a7cd-f24be198a459/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b2b09ea-2035-4cc2-8c9f-0b1a0a140b9a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1023828
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 656323 Sample: ARRIVAL NOTICE WHL050C538368.exe Startdate: 04/07/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 13 other signatures 2->41 7 ARRIVAL NOTICE WHL050C538368.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\ttpDldQIG.exe, PE32 7->25 dropped 27 C:\Users\...\ttpDldQIG.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp3870.tmp, XML 7->29 dropped 31 C:\...\ARRIVAL NOTICE WHL050C538368.exe.log, ASCII 7->31 dropped 43 Writes to foreign memory regions 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 RegSvcs.exe 2 7->11         started        15 RegSvcs.exe 7->15         started        17 powershell.exe 23 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 33 mail.lakemitchellconstruction.com 192.169.144.85, 49740, 587 AS-26496-GO-DADDY-COM-LLCUS United States 11->33 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->59 21 conhost.exe 17->21         started        23 conhost.exe 19->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cfbf205225e6ba71eb7f9d214e2d93d932946eb7ff5821f9027c589a4e2ae77/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 01:55:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nt57ebjclzv2ohvx7hjbjywzhwjssrxlp72yeh4qe7cytjhcvz3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220704-dt6pdaebhp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
58088d38a6ff4cd56396548487734033e325bee43e8ea5ca1461c98043153acf
MD5 hash:
e595e378855ccd62e8bed6ee4261d488
SHA1 hash:
f7a788882cb784296a7a973d1697702e67000c50
Link:
https://www.unpac.me/results/4765c38b-fff4-4b5d-b117-05cbec611255/
SH256 hash:
11d78f0a47e1233e6753d148e54b58a434bac32eb6e6f3cb9fc4c8e9736975bb
MD5 hash:
ab3d78d3b86ee5805bcc1f5eb4bf086e
SHA1 hash:
eff1ac9c4206da6b326b4aa5ffc4801f3d3c5c15
Link:
https://www.unpac.me/results/4765c38b-fff4-4b5d-b117-05cbec611255/
SH256 hash:
b1c6883259e99d7b07c7f09addca534348c4c324f26a2cc2c49adb2c463af615
MD5 hash:
76ed5fc14e0c8784215b9f775fda1a77
SHA1 hash:
ef835dd409f2e02d5c2b76dd1970c8ca2ea56b6e
Link:
https://www.unpac.me/results/4765c38b-fff4-4b5d-b117-05cbec611255/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/4765c38b-fff4-4b5d-b117-05cbec611255/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/4765c38b-fff4-4b5d-b117-05cbec611255/
SH256 hash:
766f0d1f3952da63b674d721f13438e9d18b8f569bfff7ae011e0724649adc58
MD5 hash:
c45144228f54ff5b84bdc83100b8ef1e
SHA1 hash:
0c2a3d30918c3fdebb11d2b9e892f25d6dd89c8d
Link:
https://www.unpac.me/results/4765c38b-fff4-4b5d-b117-05cbec611255/
SH256 hash:
6cfbf205225e6ba71eb7f9d214e2d93d932946eb7ff5821f9027c589a4e2ae77
MD5 hash:
4a84e3617d6d07773c49579ae91dede8
SHA1 hash:
475ed41b43d4a34b86961c810a3dfb6d44e35bc6
Link:
https://www.unpac.me/results/4765c38b-fff4-4b5d-b117-05cbec611255/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cfbf205225e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6cfbf205225e6ba71eb7f9d214e2d93d932946eb7ff5821f9027c589a4e2ae77

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment

Comments