MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b
SHA3-384 hash: 168976e30683319a0eeb66293375d280b1e07cac2b5add4d4c965b2f2b6088c69b040ad94cc1151695e95995f4fc15d5
SHA1 hash: 6520630d3c963c31fa468ea3454950bc0428d5aa
MD5 hash: f3098b0d9961037de2a43070a523a74f
humanhash: sad-undress-high-glucose
File name:z1EReceipts.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:873'472 bytes
First seen:2023-06-13 12:25:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:HQGcvG73htU7/2eQ1x9uPI7m5k1ceGhq5fmJDs8RcbBsAuW91NNcmGB+:wGgG1tCueiR7qkHG/o8OBsBWX7/D
Threatray 2'635 similar samples on MalwareBazaar
TLSH T1410512063954495BC1343BF40F21B2B537FF6BCA7E2AE6CB1C87B185A8EAF495610607
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0661697171716906 (9 x AgentTesla, 4 x Loki, 4 x Formbook)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z1EReceipts.exe
Verdict:
Malicious activity
Analysis date:
2023-06-13 12:26:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f224fb06-4056-4303-96e0-a27e9d620c19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398315/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.738.27445.27253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6488605c75982cb51ad5cdfd/reports/4225345f-dc38-4f79-9821-6800ab01cac9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f0c7a2ce-1613-491f-985b-e8b03e724057
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253596
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886616 Sample: z1EReceipts.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected AgentTesla 2->60 62 2 other signatures 2->62 7 z1EReceipts.exe 4 2->7         started        11 ..exe 3 2->11         started        13 ..exe 2 2->13         started        process3 file4 32 C:\Users\user\AppData\...\z1EReceipts.exe.log, CSV 7->32 dropped 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->64 66 May check the online IP address of the machine 7->66 68 Adds a directory exclusion to Windows Defender 7->68 15 z1EReceipts.exe 17 4 7->15         started        20 powershell.exe 21 7->20         started        70 Multi AV Scanner detection for dropped file 11->70 22 ..exe 14 2 11->22         started        24 ..exe 13->24         started        signatures5 process6 dnsIp7 34 api4.ipify.org 104.237.62.211, 443, 49682 WEBNXUS United States 15->34 36 smtpout.us-phx.vox.secureserver.net 173.201.193.229, 49683, 49687, 587 AS-26496-GO-DADDY-COM-LLCUS United States 15->36 44 3 other IPs or domains 15->44 28 C:\Users\user\AppData\Roaming\..exe, PE32 15->28 dropped 30 C:\Users\user\...\..exe:Zone.Identifier, ASCII 15->30 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Tries to steal Mail credentials (via file / registry access) 15->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->52 26 conhost.exe 20->26         started        38 64.185.227.155, 443, 49684, 49686 WEBNXUS United States 22->38 40 smtpout.vox.secureserver.net 22->40 46 2 other IPs or domains 22->46 54 Tries to harvest and steal browser information (history, passwords, etc) 22->54 42 api.ipify.org 24->42 file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 04:19:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nx5xu3vggeuyfj5kfpisi73ne7guqhcflk6zr7uvjcshzm6zcavq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12bf15f7a36dde34a0ab6dde0192fd9769c68e124cbedf9a08bf9a2930ee2b9f
AgentTesla
1b9a2dc6ca050349b9b0f180706742b64e734eb334c02afd87d7108eff1d4ec8
AgentTesla
1d49c75958af33b4be6f0ac91a7d3731d4bffb61ed041851b5de0dcb977f4100
AgentTesla
2350cd7baba805daf4c4216695cad848c3df79edd54e23aea3f953c33572c65d
AgentTesla
46ecdfebbc4147cb426f5db7c417f6f09ff07e214825c2b92c416579580ba345
AgentTesla
4eeedf302a790ebf73335c3bb2d579c9d03e4a13893aa7a9c98eeb2ca8a9576d
AgentTesla
7668d64997d999a406e46cf050a2d3d373efbf269686bcbd1e6348241c471894
AgentTesla
7a6f40daaf68b8a573b92508dee4d90e8236b9cccd80af1e1d9e7702f4b29c07
AgentTesla
aebd9abedf05d17f9fd3c7e3f5d35401ab52148f00b81e067f4688f84ed659f7
AgentTesla
cc921e0670b63842cf917e784f2a32d0419defe2447a15d0a3ec396cbcdc07af
AgentTesla
+ 2'625 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230613-pl66qagf9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
77b12565abe5ab431886991923d8aee6496150634518f2e707bf6455c6c7a4c5
MD5 hash:
88774f5d9a0e4d6a4089f819de7576e9
SHA1 hash:
d7a138370c4dc1045d659663f83e101cb08d74b7
Link:
https://www.unpac.me/results/2faea4ee-94a4-43e2-8494-48880365b801/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/2faea4ee-94a4-43e2-8494-48880365b801/
SH256 hash:
ff179b4d949e607300285cdc102b843b8185f204ee03253849fce7a3ff48e0e3
MD5 hash:
fd7f7e9c0cd913cd5ddd65801e31a8d7
SHA1 hash:
b4433fafc4964f1a39ee626a7f9b72380adb04b0
Link:
https://www.unpac.me/results/2faea4ee-94a4-43e2-8494-48880365b801/
SH256 hash:
13e9be0aba1cef3943954d2a204472356721075f8ecbfe565a476aec8346fdc6
MD5 hash:
4ce78b41df3f0bb4dff20793bcc9f78d
SHA1 hash:
4de22b09a356224b9916836ba2ee181d369d5f4f
Link:
https://www.unpac.me/results/2faea4ee-94a4-43e2-8494-48880365b801/
SH256 hash:
b98735d34d7cea8f565b951107348802c272f3bd96542095d533a2046bf9294d
MD5 hash:
df80d2d962d7c44dcd2a8e30135ef716
SHA1 hash:
2b3b30fe6ac4f282b940cddb424f066424a61bf4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/2faea4ee-94a4-43e2-8494-48880365b801/
Parent samples :
6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b
88762c51cbc4467dc5e5ba304d24eef77ecb63011af117529dde2a807ca0d2d1
f680c98c411aa4f05cee596740786e343d48769abc460899218e624f0d7ebca8
SH256 hash:
6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b
MD5 hash:
f3098b0d9961037de2a43070a523a74f
SHA1 hash:
6520630d3c963c31fa468ea3454950bc0428d5aa
Link:
https://www.unpac.me/results/2faea4ee-94a4-43e2-8494-48880365b801/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6dfb7a6ea631/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/398315/

Comments