MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 4 File information Comments

SHA256 hash:	6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad
SHA3-384 hash:	d57256fe593d47101643e727c0c4c99c69fddf058ef8832f3ef3fac69ad8fee3776aa8ee4a3272ed9f6b44db3c4c5220
SHA1 hash:	c1a45f0b71ee4fda56d02c15c590bb2bc824e7e7
MD5 hash:	47bb70e4d43e94c4cebb78bd263d07d6
humanhash:	twenty-seven-social-earth
File name:	6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	753'152 bytes
First seen:	2023-10-12 11:01:48 UTC
Last seen:	2023-10-12 11:53:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:X6dL6yiRJU/WcjUcWaYgnfAW9NlyQDnBtEgsrUQPk5n/YqOYSF+kW5cNXQaXMG:qJBFedcWaY2fhFHR/ZDSF+N5ctQax
Threatray	381 similar samples on MalwareBazaar
TLSH	T129F4025645A08BDFD4100EB739213F263BB36DBE293CD649CDC93CBB9639340AA42B55
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad

Verdict:

Malicious activity

Analysis date:

2023-10-12 11:03:03 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/73bf8a0e-598f-4490-8036-76556ed8f6e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/453771/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6527d22b3b921285dcdd53ef/reports/33b6e9a0-48a0-439d-b1db-dda3f1942dec/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0daaf114-567e-4899-b2c4-2c94a4612c07

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1324604

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-09-28 16:04:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n3a4v2hpvsvymrxfc3sr64gwfnzx5npdhlaeglwsbc2p4owm7swq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72

AgentTesla

5656c153b65de82b8104162a070e36cde0a5ae7fb38569390fda0e9f2492a9d4

AgentTesla

6d8070624c9a9acdd20093644d4baa5481bb5a3e9ccc113e6a140bd721808585

AgentTesla

7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c

AgentTesla

810b1fa7f6da8f8630e22580272d2b2aeea8902806ec2ac92c8833becd71de0c

AgentTesla

8bc2d2a8e99fdf12dabed46d100d94d357e064f307718087591e9858c840a1c3

AgentTesla

be97e1d540ea8ba81adbd8873a4ef6123f6d5d3ff51fa010e432ae7e4cad8e99

AgentTesla

+ 371 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231012-m443zaef4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

a655be43f79d44bf3e6720e6e1aa99b8fd94785cd46707d9a0dd48a10e4d20c8

MD5 hash:

7c2c98a1bc1af93e1bc1e0c933915b8e

SHA1 hash:

c5c3a2e553fdfa9010cf11b582fe3399c5551ffd

Link:

https://www.unpac.me/results/fbf09431-415b-4eed-b0fb-30f87c3ac569/

SH256 hash:

1496d4ac542650a1c6137a567328694f898301ad42d6cd637efe3b512ec77745

MD5 hash:

f8d0cfacbe30d8f3388f6f49efca2f5e

SHA1 hash:

73924864021786ab450db60efc910d8132d63ace

Detections:

AgentTesla

Link:

https://www.unpac.me/results/fbf09431-415b-4eed-b0fb-30f87c3ac569/

Parent samples :

1464482f2d705d8813e983c4ee8582bde6f1d515c5e2c9406f13146fcf3f2687
35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80
337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509
6d8070624c9a9acdd20093644d4baa5481bb5a3e9ccc113e6a140bd721808585
6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad

SH256 hash:

cd2b9b72f99ee67e88e19b23da53195d3958a7ca0479f247eea5f6dd7082820e

MD5 hash:

808aae259b55bad64825ecdcb9c98662

SHA1 hash:

5b36e44e6bc3edcb611cc9c740938bbddad6f58a

Link:

https://www.unpac.me/results/fbf09431-415b-4eed-b0fb-30f87c3ac569/

SH256 hash:

7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391

MD5 hash:

1622a62bf6805b2dca82a8632eceac71

SHA1 hash:

071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c

Link:

https://www.unpac.me/results/fbf09431-415b-4eed-b0fb-30f87c3ac569/

SH256 hash:

6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad

MD5 hash:

47bb70e4d43e94c4cebb78bd263d07d6

SHA1 hash:

c1a45f0b71ee4fda56d02c15c590bb2bc824e7e7

Link:

https://www.unpac.me/results/fbf09431-415b-4eed-b0fb-30f87c3ac569/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6ec1cae8efac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453771/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample