MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d3d406d84c61856f092fb6a14caaa67495a48b48ab98a03a3970bf109aadc2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d3d406d84c61856f092fb6a14caaa67495a48b48ab98a03a3970bf109aadc2c
SHA3-384 hash: b2aa64f90e39e57c964b718ffa25ed675fb92c70934bcbcb46f5819fd50faa1d970ee0027618cb96964c479854eaad13
SHA1 hash: 8517f1be8821b4b465abbd266ef4f2d5bf51d06a
MD5 hash: 789bf451549d68b1fc31f4875fb15df4
humanhash: kilo-timing-golf-nitrogen
File name:REQUIREMENTS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:415'232 bytes
First seen:2021-12-14 14:54:37 UTC
Last seen:2021-12-14 17:05:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:/CYWON8rmWFRSWJv2EtUnGt1t62nUV/qDyuFvGpYFEnjHfRD7izKhqpVNOn7eqzN:/gJveo1/UEusGpYFEj5/vhqpiqq0rQR
Threatray 13'400 similar samples on MalwareBazaar
TLSH T1ED94D0452AC6D1E8F9BFEBF10CB139C60339F6E5E540F2DEE5C4245AE9A26414F106B2
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUIREMENTS.exe
Verdict:
Malicious activity
Analysis date:
2021-12-14 15:00:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b119a7d1-e07a-42c6-add0-2d33782ada7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213963/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.7866.28019.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b8b04947bb875c085d5cdb/reports/d3ac636d-317b-4c99-be9c-b62583b8f0ac/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d76dea72-ccce-499a-a527-9baf80398e8c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907126
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 539604 Sample: REQUIREMENTS.exe Startdate: 14/12/2021 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Found malware configuration 2->31 33 Antivirus detection for dropped file 2->33 35 10 other signatures 2->35 7 REQUIREMENTS.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\WOyhla.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmpAE57.tmp, XML 7->21 dropped 23 C:\Users\user\...\REQUIREMENTS.exe.log, ASCII 7->23 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Injects a PE file into a foreign processes 7->43 11 REQUIREMENTS.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 dieseltronic.com.pe 98.142.105.18, 49822, 587 DIMENOCUS United States 11->25 27 mail.dieseltronic.com.pe 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d3d406d84c61856f092fb6a14caaa67495a48b48ab98a03a3970bf109aadc2c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 14:55:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nu6ua3meyymfn4es7nvbjsvkm5evusfurk4yua5ds4f7ccnk3qwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03ef8714bc60d14808b9d17373c5e34198a4e7a60cdebab1e18f9e49c394f7d1
AgentTesla
05e5d5a7224902bd3b98c2b0c692eb2c892446a302c10dba36df8a4f45276e9a
AgentTesla
5a0044006cc97a168cf5b4e2d249d040294d2a4eb683f2d54e91f7d849b23639
AgentTesla
8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991
AgentTesla
92bc56e98e19d4d9fbabf683531fa6d25c194723c9a029a46d1a4e87ffaf29ee
AgentTesla
a222707d7596b243326b50df4ce981b8c572d22808465d805592f6441ab7f871
AgentTesla
a42d9bd273be9ffd1ca60def6f75fab502c7d04967bc69fe9ee7c8304d80bf16
AgentTesla
dbce8fe278a2c14f6e9d1db1d536d087da864d9870ee364dcb4c89322604729e
AgentTesla
e4161228e6d0834d34f12745d57902d9f98a0a6302811b094189a4f9a708a365
AgentTesla
e7e13a17b68aa61a6adf579f4bf9994e92e9cae1788e0161e18969de98095003
AgentTesla
+ 13'390 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211214-saf2yafhe3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
337ac332e199087fa078185847d37464f4681555e7ff8e0a74dee434b7eb507d
MD5 hash:
a62a0d4ec08295c1479c87e28a5c3172
SHA1 hash:
a81df09d042fcc300fe01be3e4b7ec8f3f1a3deb
Link:
https://www.unpac.me/results/c48e8cdf-9272-44f9-a7ea-43606b35e164/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/c48e8cdf-9272-44f9-a7ea-43606b35e164/
SH256 hash:
6a0d8fb64e5d35244715e5bc78475b52cd27004f1974ad79cfaa4fe55b271716
MD5 hash:
585d2786496fb4ce6d197203ba479f4a
SHA1 hash:
42514e91ad8d13b6e6ba5b99945c49a5aedf8a92
Link:
https://www.unpac.me/results/c48e8cdf-9272-44f9-a7ea-43606b35e164/
SH256 hash:
6d3d406d84c61856f092fb6a14caaa67495a48b48ab98a03a3970bf109aadc2c
MD5 hash:
789bf451549d68b1fc31f4875fb15df4
SHA1 hash:
8517f1be8821b4b465abbd266ef4f2d5bf51d06a
Link:
https://www.unpac.me/results/c48e8cdf-9272-44f9-a7ea-43606b35e164/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6d3d406d84c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d3d406d84c61856f092fb6a14caaa67495a48b48ab98a03a3970bf109aadc2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6d3d406d84c61856f092fb6a14caaa67495a48b48ab98a03a3970bf109aadc2c

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/213963/

Comments