MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b
SHA3-384 hash: e1634a377a73ed07b6768749b8f1a2beac9306c84e79fa9989aa4389aae8f2c32e787bbea515b6568035b619083a7095
SHA1 hash: 8b7ebffe014fd61f97e743c7993b13654fda72a0
MD5 hash: db1409ffcfa26228df0e916d92e7079d
humanhash: eight-magnesium-carpet-west
File name:Purchase Order #71866.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:744'448 bytes
First seen:2023-06-20 06:02:17 UTC
Last seen:2023-06-26 05:45:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0b903YT7uPM7q6bpw4dcZda/igJI/DR74uy9irSCJesJKpBI+KEaJWlAfLgy7cyI:0b903YNzu4CZdO+LRU7Y9J9JKHPKPAAK
Threatray 3'058 similar samples on MalwareBazaar
TLSH T11CF412249697862BD00B0F7054A0E7B552BC9EC9BB22D6EF0CCB7DD37E667C90534226
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2b2555676501612b (15 x AgentTesla, 3 x Loki, 2 x Neshta)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
239
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order #71866.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 06:06:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/537dc00e-0415-49d8-8abc-fa5d1ff1cca9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400738/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.16330.12291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64914116024b6169b0eb1485/reports/15d67acd-e8ca-4ff0-bff5-482546c168a6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a05655cd-3cd8-40c5-924d-653ad3dc558b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258674
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891692 Sample: Purchase_Order_#71866.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 6 other signatures 2->58 7 Purchase_Order_#71866.exe 7 2->7         started        11 ywVAwZ.exe 5 2->11         started        process3 dnsIp4 32 C:\Users\user\AppData\Roaming\ywVAwZ.exe, PE32 7->32 dropped 34 C:\Users\user\...\ywVAwZ.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpFD1F.tmp, XML 7->36 dropped 38 C:\Users\...\Purchase_Order_#71866.exe.log, ASCII 7->38 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->60 62 May check the online IP address of the machine 7->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 7->64 68 2 other signatures 7->68 14 Purchase_Order_#71866.exe 15 2 7->14         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        40 192.168.2.1 unknown unknown 11->40 66 Multi AV Scanner detection for dropped file 11->66 22 ywVAwZ.exe 2 11->22         started        24 schtasks.exe 1 11->24         started        file5 signatures6 process7 dnsIp8 42 api4.ipify.org 104.237.62.211, 443, 49703 WEBNXUS United States 14->42 44 api.telegram.org 149.154.167.220, 443, 49704, 49706 TELEGRAMRU United Kingdom 14->44 46 api.ipify.org 14->46 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        48 64.185.227.155, 443, 49705 WEBNXUS United States 22->48 50 api.ipify.org 22->50 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->70 72 Tries to steal Mail credentials (via file / registry access) 22->72 74 Tries to harvest and steal browser information (history, passwords, etc) 22->74 30 conhost.exe 24->30         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 05:26:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 36 (52.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwp6qh37hz7admxq5wdackyssfzlxrfd6mkvgopy2lyux7vccuvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
213c731aacc82ea20f97417a4adf5d4a024e52798d07f05b704711cb1f5c6248
AgentTesla
257ba93dab8da864d90c650cfd8b28bd5df50817f574febd5ae102648c5abf1c
AgentTesla
30d0d9777a726d380c3e477fc5fb70ecc6b7d254bd089926298ea8bb441042ff
AgentTesla
38a9f881eb28d8f75c2c21a9cb4de15e472866346c747c480e8e6ec485982067
AgentTesla
4913dda08726dc0fcc3b36bb5daf24556364937a7c4950698e8f2cc0691aefc6
AgentTesla
49bc579c76fbe3797d8ef0defec51d64087fabc11dab7f537042164c45c33846
AgentTesla
7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0
AgentTesla
ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847
AgentTesla
e6d85b943658d32b138279b866c581b76b7e1d3ecd55d51a71c1efa89e42c041
AgentTesla
+ 3'048 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230620-gr1xwsbc9y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6084260127:AAGr1lYKmzu_Yev9KMdR1XgmtKjk7qxZPno/
Unpacked files
SH256 hash:
bf30f7032a6e2fdd6a872718de569645dda2c9e734a4f90a77e5af9a58d75812
MD5 hash:
29432c0db5445ce74b8a1042234187af
SHA1 hash:
fdc1bce5c868fbaed48ff27b3cc73b752bc66e75
Link:
https://www.unpac.me/results/6cfae786-bd85-4eac-962a-d347a5adacd8/
SH256 hash:
083ae5dabbe6b9cde16cee5b39c7c7f0db3e919c5badbc85369b8953e3d3d16e
MD5 hash:
12dd758f9a189d17fc3c7b3f48379398
SHA1 hash:
eecec666b7296ec0a2f98d57ff79de60a00581c6
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/6cfae786-bd85-4eac-962a-d347a5adacd8/
SH256 hash:
8cc203987cd2d018ec00f2f71e0f2e68993e763fc0f3d2de162002168899b3e7
MD5 hash:
9a705102375373f54259c348254a3e43
SHA1 hash:
ea2cc84861f7d90dc452af3803b3ebf46a2a68da
Link:
https://www.unpac.me/results/6cfae786-bd85-4eac-962a-d347a5adacd8/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/6cfae786-bd85-4eac-962a-d347a5adacd8/
SH256 hash:
862ee3f99be3a50f871dec80880c8b14ecc0f6f2e69ab21e57e4f96bfca635f6
MD5 hash:
a732cbf6eae748784c39ae6d9eab3c11
SHA1 hash:
27daa4c44a37d6d51f9e1ba0e3ef4465b12235fb
Link:
https://www.unpac.me/results/6cfae786-bd85-4eac-962a-d347a5adacd8/
SH256 hash:
6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b
MD5 hash:
db1409ffcfa26228df0e916d92e7079d
SHA1 hash:
8b7ebffe014fd61f97e743c7993b13654fda72a0
Link:
https://www.unpac.me/results/6cfae786-bd85-4eac-962a-d347a5adacd8/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d9fe81f7f3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400738/

Comments