MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961
SHA3-384 hash: 637e46d3a8bb56750259ae86665ce9df6967cf63b63956b8d20ff931371fc5d401ecde4ee82e6f881493f174e913be87
SHA1 hash: 2bf9f2f31b3707a0a589f99e757f951c7747630d
MD5 hash: 17e59ba94fc46773279a78f2014b8e87
humanhash: tennessee-ack-friend-winner
File name:PaymentXinstruction.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:885'248 bytes
First seen:2023-03-08 08:11:22 UTC
Last seen:2023-03-08 09:27:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:mKa3cOQGOPUtmus+6UFM8qeSgoePBfBf6/:4MRL+6Ue7N3
Threatray 1'253 similar samples on MalwareBazaar
TLSH T1AD158E9172B194B3F5CB016960287BCC2C3CB183B6D9E24B6A3779C096459BFF798E11
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8cf2684d6868e892 (13 x AgentTesla, 4 x Loki, 3 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PaymentXinstruction.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 08:14:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8cb5d9d-99fc-4505-8edc-a9c2c8dfea06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372504/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640843577f18ce9b01807fa7/reports/2e2dbd11-3d6b-4a2b-baa2-c068f090a9b5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df2f8b35-cae0-4547-a827-8f189a7f39f1
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189240
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822115 Sample: PaymentXinstruction.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 6 PaymentXinstruction.exe 3 2->6         started        10 xvWDE.exe 3 2->10         started        12 xvWDE.exe 2 2->12         started        process3 file4 33 C:\Users\user\...\PaymentXinstruction.exe.log, CSV 6->33 dropped 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->71 73 May check the online IP address of the machine 6->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->75 14 PaymentXinstruction.exe 17 10 6->14         started        19 PaymentXinstruction.exe 6->19         started        21 PaymentXinstruction.exe 6->21         started        77 Multi AV Scanner detection for dropped file 10->77 79 Machine Learning detection for dropped file 10->79 23 xvWDE.exe 14 7 10->23         started        25 xvWDE.exe 12->25         started        27 xvWDE.exe 12->27         started        29 xvWDE.exe 12->29         started        31 2 other processes 12->31 signatures5 process6 dnsIp7 39 discord.com 162.159.128.233, 443, 49715, 49723 CLOUDFLARENETUS United States 14->39 41 162.159.137.232, 443, 49716, 49725 CLOUDFLARENETUS United States 14->41 47 2 other IPs or domains 14->47 35 C:\Users\user\AppData\Roaming\...\xvWDE.exe, PE32 14->35 dropped 37 C:\Users\user\...\xvWDE.exe:Zone.Identifier, ASCII 14->37 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->53 55 Tries to steal Mail credentials (via file / registry access) 14->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->57 43 162.159.136.232, 443, 49722 CLOUDFLARENETUS United States 23->43 45 173.231.16.76, 443, 49717 WEBNXUS United States 23->45 49 2 other IPs or domains 23->49 51 2 other IPs or domains 25->51 59 Tries to harvest and steal browser information (history, passwords, etc) 25->59 61 Installs a global keyboard hook 25->61 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 06:21:18 UTC
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nw6so6st4ldcdj3yughnt7by5vkwv7auk2buqgxlkuyb2gsxjfqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2047eac119d133e43a99c820bffa0cf6ad280292bc6e3b17c3ad1a6fba25c2e8
AgentTesla
3047d199e9540948a25c577cc9181b77d26708c2539c660706a8fd12fec2db1b
AgentTesla
3221b60a97d6becffd25f5aadc1679400a41f91e2538f203761809f9dd65039d
AgentTesla
3e71398f2c545fe979dbc8c61ccaf8bd055a7d5855d978b0bf006fa6dd1222ed
AgentTesla
4097ec9b7e47872f529451d84c79c68d22016553e63c95162306354a1b15a9d1
AgentTesla
6b5b7eaba354864363cd0c95de9d926b2878201de9030cbb0bbd512a84697b40
AgentTesla
918057f4d236bf49e9efaceb3c4aaab580baf9960ac45d2fe8d97c5d98111f73
AgentTesla
9a4dba9c3d3c74e021c2a07cb5d44aee1f36f697394d729f9735cb38792a86eb
AgentTesla
ae773800646505a74d624672b6a3bf5d74c92dc78d7d1fdb9df1842d692c21ab
AgentTesla
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
AgentTesla
+ 1'243 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230308-j3v7wsed5s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1081911669879476254/4aOb4D2JOnvL6AljQAIlBRs_c0Qa20y8RAppg1dgYqajCAP2XbITnDxvhr6YhYRstksl
Unpacked files
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/f9187e84-02f7-4110-92d9-eb837fc98f02/
SH256 hash:
75c3a133732c9083fdc72ef3744e9c3caa9fa2400ac3b8877165cc6034bfabff
MD5 hash:
2b8caa0a402c294d688098c7a25c1e21
SHA1 hash:
9c7ee584c758137ed9928c82a88da755ac475e66
Link:
https://www.unpac.me/results/f9187e84-02f7-4110-92d9-eb837fc98f02/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/f9187e84-02f7-4110-92d9-eb837fc98f02/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
5d293ccca54612e1e82e9043bc0e7f80931285a8f55065067e34c7e5f18ae489
MD5 hash:
5d74d52e5171e3cf56687c14498acffe
SHA1 hash:
950fcbdfe7e0a10076e7f8219e6a9cdbe3822525
Link:
https://www.unpac.me/results/f9187e84-02f7-4110-92d9-eb837fc98f02/
SH256 hash:
86fd1b18ff1080eb522e03d735e99e563bad3fcb22623e219593766749bbb8aa
MD5 hash:
f58c43032ad4b7f6a1db569e3db22fee
SHA1 hash:
2ae94af09620a434bc2d1680e50ae618adb91162
Link:
https://www.unpac.me/results/f9187e84-02f7-4110-92d9-eb837fc98f02/
SH256 hash:
6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961
MD5 hash:
17e59ba94fc46773279a78f2014b8e87
SHA1 hash:
2bf9f2f31b3707a0a589f99e757f951c7747630d
Link:
https://www.unpac.me/results/f9187e84-02f7-4110-92d9-eb837fc98f02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/372504/

Comments