MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87
SHA3-384 hash:	7f4479c115999dc1ac7a0705dc8495e0bb18859944f9306cb876029ff93fa408a91c6246da0dd7018bea7ad4955cf27d
SHA1 hash:	5c3d6aa9984c5828d51d7676bb06400ab1c4edda
MD5 hash:	4aa0212e803011d0abf7516bf779c554
humanhash:	jupiter-july-oven-tango
File name:	RFQ-0001120306790.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	341'879 bytes
First seen:	2023-10-04 07:21:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep	6144:BnPdudwDs7mdEOkv9Lg/hcV3w+Xs4KPOto0AldiBrgCNHtXj0Ow2XqE+:BnPdw7ac9k8nc5OvLdNHtAOwq+
Threatray	15 similar samples on MalwareBazaar
TLSH	T12F7413257690C4A3C47293B1A9F71F4276866A2207D87F0757902B0D7E376839EAF3D2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	TeamDreier
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

322

Origin country :

DK

Vendor Threat Intelligence

ANY.RUN agenttesla

Malware family:

agenttesla

Alert

Create hunting rule

ID:

1

File name:

6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87.zip

Verdict:

Malicious activity

Analysis date:

2023-10-04 08:43:14 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/6c230209-9931-43a9-b93a-b8d1477df153

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.8759.14700.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Dragonfly

Gathering data

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

control lolbin overlay packed remcos shell32 threat virus

Link:

https://www.filescan.io/uploads/651d12a7a31588d184f058f7/reports/9adba4c5-642f-42fc-95d8-2f5086837b91/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4747343-f40b-4327-81be-f594a0351e43

Joe Sandbox AgentTesla, NSISDropper

Result

Threat name:

AgentTesla, NSISDropper

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1319256

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB agenttesla

Detection:

agenttesla

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87/

ReversingLabs TitaniumCloud Win32.Spyware.Negasteal

Threat name:

Win32.Spyware.Negasteal

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-10-03 09:38:26 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

22 of 35 (62.86%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvq7wvsdimtos3abpvl3zrfa6lq4hkmiolicmlragt2ofczy56dq._file

Threatray agenttesla

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

Similar samples:

21140ae60aa6ba79a4d6cfc5aa5fd4cf4aa08ac5a522a4a2393f4c9552224529

AgentTesla

26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309

AgentTesla

5e46b06d31e7e09162fbc59a2aa0c9fa138b2491359042626f9de659d9b0b065

AgentTesla

795998e9064cb981d6a40a34fbeee48381121ea7ac7175ffe5b506b11cf843d7

AgentTesla

853d6a20b81a88dcd326ef889645896a3e779b07676e319fd4aceedfe01aa891

AgentTesla

b73234fec5a6cbf5e739a75ce9aa9674f11dd409a81c740f009e1bf18c767c94

AgentTesla

be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7

AgentTesla

dc999aa2db84e4f91022be10a55e971c49da82960027b7482b44856fee46f9cc

AgentTesla

f3c99b21d43e967be5b3e53e70050b9d6dce181fe5415f9825b512850ecb0b52

AgentTesla

+ 5 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231004-h68rqabg87/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

UnpacMe 2

Unpacked files

SH256 hash:

c82d610a6a168120809a0c05dd53c9e9b8458d66d13c5fe5cbf2dcf7eef95a5e

MD5 hash:

e3f01ddaebd17109dd8ac24ac6cfb071

SHA1 hash:

0617c14804c5b12cc54f3963196a8fc312f27886

Link:

https://www.unpac.me/results/05297e15-6317-4ee9-85f6-d20e5679ea70/

SH256 hash:

6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87

MD5 hash:

4aa0212e803011d0abf7516bf779c554

SHA1 hash:

5c3d6aa9984c5828d51d7676bb06400ab1c4edda

Link:

https://www.unpac.me/results/05297e15-6317-4ee9-85f6-d20e5679ea70/

VMRay AgentTesla.v4

Malware family:

AgentTesla.v4

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6d61fb564343/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87