MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e9be72aed4abeba3b171ab786f8b326d8c08d449dcb0e7610abe3f0b8405267. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e9be72aed4abeba3b171ab786f8b326d8c08d449dcb0e7610abe3f0b8405267
SHA3-384 hash: d9990e1da3b4fced99e4d1ba12b53f78adf54241fdbb1b22dd50bef7ab0f8a2ab3b39660397d01044d79f66fb775f01c
SHA1 hash: 0911386d4a31934b3bdf6ed3c3386b8e660a75b5
MD5 hash: 74182f3e655329b3c6ae175ebffe3b76
humanhash: nine-jig-zulu-ink
File name:PO-4567-09.xlsx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:473'600 bytes
First seen:2021-06-15 08:41:03 UTC
Last seen:2021-06-15 09:52:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:uFsS0SSWGp2ek9lWSybaM2RG+zcwxOVbcEkXlbPLnEW92tERnHXDcAJYKu:7SYWGEekrWSVM4GSYbcbhEd6nTPZ
Threatray 6'023 similar samples on MalwareBazaar
TLSH 51A4CEB9B3846BAAC3184F3AD697355443E0D113B332F31BA8FC78E46921B485B7E516
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-4567-09.xlsx.exe
Verdict:
Malicious activity
Analysis date:
2021-06-15 08:45:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b455b5b-7d9f-41b9-bf01-12f509a906d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166425/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.29567.15220.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e87a5e5-9de8-45b0-baff-f25dc23b5372
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802263
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434659 Sample: PO-4567-09.xlsx.exe Startdate: 15/06/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AgentTesla 2->41 43 4 other signatures 2->43 7 PO-4567-09.xlsx.exe 15 7 2->7         started        process3 file4 23 C:\Users\user\Desktop\FGHJUI.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->25 dropped 27 C:\Users\user\...\FGHJUI.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\...\PO-4567-09.xlsx.exe.log, ASCII 7->29 dropped 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->45 11 FGHJUI.exe 14 3 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 47 Multi AV Scanner detection for dropped file 11->47 49 Machine Learning detection for dropped file 11->49 51 Writes to foreign memory regions 11->51 53 3 other signatures 11->53 16 InstallUtil.exe 2 11->16         started        19 reg.exe 1 1 14->19         started        21 conhost.exe 14->21         started        process8 signatures9 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->31 33 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->33 35 Creates an undocumented autostart registry key 19->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e9be72aed4abeba3b171ab786f8b326d8c08d449dcb0e7610abe3f0b8405267/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 07:06:30 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2n6okxnjk7luoyxdk3yn6fte3mmbdketxfq45qqvpr7bocakjtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f077fb618914c9f987dc7975a5e4c6372234ca35c292de29d864c494910928c
AgentTesla
1d0f9f608a9259fdb2f023365da66ed0726da7cfeffd7683a3ab8789eab41d99
AgentTesla
2a24e55affebdf336e67fe9ba8f667b095784a6bc6857ce8b89e7c48c8a8fd21
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
8b674dcd488e9b2d46b562bf23bbab4ac418d46caf950dfb62b3989d40842e83
AgentTesla
8d20f4a3b6d6a06e29d6807191d0347cbb38b377d1daeede7b710c4f082516c1
AgentTesla
8ef317f2278fbe6a533e8f78b932698e986280d2f4a6716aaaaa4dc5692222a8
AgentTesla
963b77250b3e94e3054bdcec6815c2f986d56de7734f1b5641aefe8a2a82584f
AgentTesla
fa4619ebda77472e045b64ebc355777bdf509125e450ef35a59efd275610c9d3
AgentTesla
fce3f94a3ada9b313d42d261e01794bec35d98dffee6ec9bd101a34b4511691b
AgentTesla
+ 6'013 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210615-1fxwcq2dns/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
6e9be72aed4abeba3b171ab786f8b326d8c08d449dcb0e7610abe3f0b8405267
MD5 hash:
74182f3e655329b3c6ae175ebffe3b76
SHA1 hash:
0911386d4a31934b3bdf6ed3c3386b8e660a75b5
Link:
https://www.unpac.me/results/d310c9aa-d57a-4c3a-aef8-7be16dd085a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6e9be72aed4abeba3b171ab786f8b326d8c08d449dcb0e7610abe3f0b8405267

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6e9be72aed4abeba3b171ab786f8b326d8c08d449dcb0e7610abe3f0b8405267

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/166425/

Comments