MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eec3ed20cf01fe2ae28df3add8d04b987e52d1299c0ee9ff72a677f36a5a8a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eec3ed20cf01fe2ae28df3add8d04b987e52d1299c0ee9ff72a677f36a5a8a2
SHA3-384 hash: cced0c21c8b722bfd06b5f4dd40ac537629194f4ad49e6014c4fa465c79344206ca050d484c91cbe591b85d60e74d507
SHA1 hash: bd180908907fed2fefb0f8ff6584720010e02ea8
MD5 hash: 4bfcc73ca04744ff5c9b6c80a42983a0
humanhash: kansas-missouri-lake-helium
File name:REQUEST OF QUOTATION NO GITE R-22144.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:723'456 bytes
First seen:2022-06-20 09:12:14 UTC
Last seen:2022-06-27 09:35:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:9XjGdyrjjCABvjMKbxaQ+x0pD2ztHQDtCc9wVFfkTpJeMBXzgojKvqZI4dFTzFg:9KdyrjjCOAeB2ztHQDtNGVK9zIMlzF
Threatray 17'698 similar samples on MalwareBazaar
TLSH T19FF422501BEC0636EDFE2B7960B168540731F82AB962F30F5FD9B59E1A723C181587A3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUEST OF QUOTATION NO GITE R-22144.exe
Verdict:
Malicious activity
Analysis date:
2022-06-20 06:35:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0394313f-dde0-47ac-ad70-4703ed4d586a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281498/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.19314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
No Threat
Threat level:
  2/10
Confidence:
50%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b03a618e2643f17a9d251d/reports/7ec3aacf-9685-4f4d-a46a-3b4d19af13aa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9949a7f2-c08f-44ee-aba5-4404aa2c1833
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1016220
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6eec3ed20cf01fe2ae28df3add8d04b987e52d1299c0ee9ff72a677f36a5a8a2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-18 18:39:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3wd5uqm6ap6flri345n3diexgd6klisthao5h7xfjtx6nvfvcra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b31f44752ba5dbb6413a79f955b13ae4c2fd507b7b9db64b9753dd6dfa05544
AgentTesla
2a69ae7691f2bc2d7e601ccbb69ee862481c4fa988d66232e77748177c54b52a
AgentTesla
328d51d3fac22a6af72ddc36ea5174b65d392cc4ad1d88141ff1fd0546ad8b5a
AgentTesla
78e1fbae10c16b140343e4b74ce4a005518c2811869aa37e38cb8c3e5d4b1d16
AgentTesla
831b339956fc2afd92ef6ec2ba27e4868cec86026d0c7aec2faaf8b7a56c1391
AgentTesla
b484edef2132ebb9af301e05295fd56bc7298db9fbb8c6ce43b6297950b0e4e2
AgentTesla
b5f537529382b388df4cb0d99d9deb7515fd28ce31e26a7b77db654b3d518931
AgentTesla
dd1a5d2bd088d8b31bc8a712bb7484aabcdc4fc3119147f22dc141a8092bd3b6
AgentTesla
+ 17'688 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220620-k7crsaebb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
ccf3b9737a6f4ffa6de6024052301f6ca3fd7a15ae4acb6d87b75e3373f48083
MD5 hash:
42e504bcd6a3fe7e333d97f357f57cb2
SHA1 hash:
d62a9dc7dac1237a5bf406a62d6f04be51d4b3cd
Link:
https://www.unpac.me/results/2207658b-8a7e-4274-8ba1-c77d729acf03/
SH256 hash:
f6c807f21c9453e4fef7497fc06dfb7a9486479201ebd71b93a57a32abfbeae7
MD5 hash:
16e1e443f688d94a63f331d6d837e852
SHA1 hash:
5ef9fea7a069e3c9de4278cfc98937ffdadf1ac7
Link:
https://www.unpac.me/results/2207658b-8a7e-4274-8ba1-c77d729acf03/
SH256 hash:
9aef130dc217fbc21b4ce3ab22af168eeedc0d65452c3d888a64adcd46fc59d6
MD5 hash:
e36e3146c284a0cf32545b937d7c6c47
SHA1 hash:
65f6383dfd7027baa44f30499b06d810984e3894
Link:
https://www.unpac.me/results/2207658b-8a7e-4274-8ba1-c77d729acf03/
SH256 hash:
84238dc32dc2c72716d7233f509b43a45617e2a24ca07eecda58ae37a704b90b
MD5 hash:
1d6115ad56b1707c8afa1a65f22afc96
SHA1 hash:
58cbf25298e84cf9d91da78ae370ac5ddbb2c3fd
Link:
https://www.unpac.me/results/2207658b-8a7e-4274-8ba1-c77d729acf03/
SH256 hash:
6eec3ed20cf01fe2ae28df3add8d04b987e52d1299c0ee9ff72a677f36a5a8a2
MD5 hash:
4bfcc73ca04744ff5c9b6c80a42983a0
SHA1 hash:
bd180908907fed2fefb0f8ff6584720010e02ea8
Link:
https://www.unpac.me/results/2207658b-8a7e-4274-8ba1-c77d729acf03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eec3ed20cf01fe2ae28df3add8d04b987e52d1299c0ee9ff72a677f36a5a8a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6eec3ed20cf01fe2ae28df3add8d04b987e52d1299c0ee9ff72a677f36a5a8a2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/281498/

Comments