MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513
SHA3-384 hash:	e9014f70b988253b9587776ed62b7b2e35d4185ca3f97a1eb9449138e7a61f88feef56492ebf08925f7fcb005639d287
SHA1 hash:	85ec46cbef0d795eab3dfdab4698e94bd16b36be
MD5 hash:	a5aeaf67ea86c4f8a63e4ea9f827645f
humanhash:	pluto-happy-cold-hydrogen
File name:	6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	955'365 bytes
First seen:	2023-06-02 12:04:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (430 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep	24576:lTbBv5rUFcD8ubgLUDiUAjrzIAXiAZrFoPM:PBH8tYAXiAZr2M
Threatray	3'836 similar samples on MalwareBazaar
TLSH	T12F150202BBC198B2C07A09365A796B115A3DBD202B65CDDF63C47A2EDE325C1C731B72
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ecf0c68ac2c298f2 (60 x SnakeKeylogger, 14 x Formbook, 6 x AgentTesla)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513

Verdict:

Malicious activity

Analysis date:

2023-06-02 12:04:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/038cadc0-8ce5-41ca-b43a-643fcfee39ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/394777/

Detection(s):

Sanesecurity.Malware.29320.Rarsfx.SUD.UNOFFICIAL

Win.Dropper.Nanocore-10003585-0

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Launching a process

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/89048/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm autoit evasive greyware keylogger lolbin lolbin overlay packed setupapi.dll shdocvw.dll shell32.dll wscript

Link:

https://www.filescan.io/uploads/6479daeffaa640ca1b23a19a/reports/9a5fda54-9cd5-4f77-bc25-c4b14e9e2e11/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3d7218f2-4912-4247-bfcf-b5e7b015be11

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1247550

Signature

Allocates memory in foreign processes

Contains functionality to modify clipboard data

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Starts an encoded Visual Basic Script (VBE)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM autoit script

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-05-17 09:19:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 37 (72.97%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n36sjaoy6rr4q7qovrr2omyaolrm7gxyeilolnylyefxvrmysujq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25

AgentTesla

60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38

AgentTesla

64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a

AgentTesla

6c50963cb2f68cba3949a030f3e9520c239f096d22de4f104670588758dd9d26

AgentTesla

6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d

AgentTesla

715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6

AgentTesla

ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b

AgentTesla

ee0fac5b1ab0a1e4c8efadea7919f8f1105d0928ca3a7c359a65af0246e06cf1

AgentTesla

fb25c8a64c09f9c4e8c586b94d5cda1dc69be203b786ea297f9293d7bd7b8b30

AgentTesla

+ 3'826 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230602-n86b9sbf41/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5890284317:AAFxZGYyxiXSoARuFHvgemypoSAzxMytEOI/

Unpacked files

SH256 hash:

175f4fe5fa200d4a632c0564d3a1992b1ead3d0d1ef4d12c5a7485b245d747e2

MD5 hash:

ecc4b412bf7cd157a229d267f06ba48f

SHA1 hash:

1a79d200181c8fde77cdea3e71480f75091fa398

Link:

https://www.unpac.me/results/36c7695d-1d66-48c7-8daa-4c4265783883/

SH256 hash:

20c4e5772f3326030a17a66ee671afb025be375b109b0ddc3831b5d18bedbaf6

MD5 hash:

c3af10b661563e3bd47fe8af5855cf25

SHA1 hash:

2690c52470e6c95d0482c16407c1e96ab49c38ba

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/36c7695d-1d66-48c7-8daa-4c4265783883/

SH256 hash:

6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513

MD5 hash:

a5aeaf67ea86c4f8a63e4ea9f827645f

SHA1 hash:

85ec46cbef0d795eab3dfdab4698e94bd16b36be

Link:

https://www.unpac.me/results/36c7695d-1d66-48c7-8daa-4c4265783883/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6efd2481d8f4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	pe_imphash Create hunting rule

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/394777/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample