MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e38a3ddc750c13372311bd90bf5bdde571d005f1af0c62b1eb95b02467ee2d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments 1

SHA256 hash:	6e38a3ddc750c13372311bd90bf5bdde571d005f1af0c62b1eb95b02467ee2d1
SHA3-384 hash:	cdba678baafe9130a3aed7a99782124d5d348fa67564d479dfe04b9d7518a925a653968bcc010ac5b2d24193b99824f1
SHA1 hash:	97983dbe8d62964632eaed9503a5715fd1944e42
MD5 hash:	127d03a01f359b357206db05520c5cf2
humanhash:	fourteen-burger-batman-william
File name:	127d03a01f359b357206db05520c5cf2
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	668'672 bytes
First seen:	2022-05-20 12:33:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:yHB4fuqlaqMfD7w/79khCD1gPjxJ/Il+zYBoGDESD4urD5Y1URVmgiaGjdmo:yH22qla5w/yXbxOllB9B451mhiaGj
Threatray	17'507 similar samples on MalwareBazaar
TLSH	T1A9E41BD1F150889AEC6B09F2AD3FA5302593BE9C54A4410D5A9E7B1B76F3342309FE1E
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

dridex

ID:

File name:

293205610.xlsx

Verdict:

Malicious activity

Analysis date:

2022-05-19 05:36:42 UTC

Tags:

encrypted trojan banker dridex opendir exploit CVE-2017-11882 loader agenttesla

Link:

https://app.any.run/tasks/41c1e5b4-d038-4f0f-864a-6d3a404b632e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/273037/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/62878ac4054dcf0ecad1d6ca/reports/0752936b-90c0-40e0-9d8f-0eb46a3bf025/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/145737c2-9e95-4739-97d1-d455500c0c3a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998562

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6e38a3ddc750c13372311bd90bf5bdde571d005f1af0c62b1eb95b02467ee2d1/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-05-20 10:37:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

3/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

203bfe6c0c5879e5951719fa76fdd9de0343e2652b58141660651d84790310ed

AgentTesla

2aa8f6347e3d331950c557528790162d59d5607fadbb111e1cefad5a34ba6cd9

AgentTesla

4dec45a4095ce92e7bc46962358c73f3e52b57a13128947fcebeeed3d866ff5e

AgentTesla

879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275

AgentTesla

9af7966457a612505ab014eabf6eb8e96a09bdc6b248816506271fc554473197

AgentTesla

a342e8f2472ac316cab1017fc24f46d8206390f90448b91d62b9225aa3d2e229

AgentTesla

+ 17'497 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220520-prt4cabfb6/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

fd92b68675f75da9d776da981ce97f3a557876c7364e2ebba29ba760daff2440

MD5 hash:

e2b27e908fb385a2d01aba639394867e

SHA1 hash:

b84614e368f16ca8623d9d254dd6a45d684c3bc8

Link:

https://www.unpac.me/results/94c1c141-6648-479d-b5bb-39e5cd107846/

SH256 hash:

304ea7ef6a8f0f01fc620c654c7ae5ccb979892a9b570412f38a64b3078b8461

MD5 hash:

b9a7f8137bea8c00a5922703b31f3206

SHA1 hash:

716c2548868171f11301a685b9698a326f99cda8

Link:

https://www.unpac.me/results/94c1c141-6648-479d-b5bb-39e5cd107846/

SH256 hash:

ae93d725971ed4883f3bb1a74ce0e134914cbe0a093da6f33ee354e73ff131bc

MD5 hash:

889b57b4bbe8d5e50f4d22425c76bfb1

SHA1 hash:

349cb048a2ded9234120e37ab7cb2481376b34cb

Link:

https://www.unpac.me/results/94c1c141-6648-479d-b5bb-39e5cd107846/

SH256 hash:

6e38a3ddc750c13372311bd90bf5bdde571d005f1af0c62b1eb95b02467ee2d1

MD5 hash:

127d03a01f359b357206db05520c5cf2

SHA1 hash:

97983dbe8d62964632eaed9503a5715fd1944e42

Link:

https://www.unpac.me/results/94c1c141-6648-479d-b5bb-39e5cd107846/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e38a3ddc750c13372311bd90bf5bdde571d005f1af0c62b1eb95b02467ee2d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research