MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fbf92e7feb171af3ba08bfc6a87cdd5f6226a2b7a38c3b586fc677464774974. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fbf92e7feb171af3ba08bfc6a87cdd5f6226a2b7a38c3b586fc677464774974
SHA3-384 hash: 38e968f7877de6d6e7cebbc6cfae01b574a8dfa5eca4b725cc1cb86e35ca7bec864cc882c28861aae1a29a9dc7d8f014
SHA1 hash: c79f9d5a3953db71e44a89a5185abf81586ce812
MD5 hash: 493dc3802cad640021e2a78ba2bd270c
humanhash: don-bluebird-october-five
File name:#New order.(08421) RABIE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:585'728 bytes
First seen:2021-08-09 05:12:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Qj0QBlWjrvtRcOLFvMPuQ+A5yPDsyfG+H0DWOEFHWu+Q5C0/HAJPnuXU4gl/AM73:5RcGCNyPffGNrEgLyJAJPukFV3+n
Threatray 8'039 similar samples on MalwareBazaar
TLSH T106C49C2B25985617F47CD2BC2854120BF379DFD6F0DEEA85EC8729D2CA75B82118428F
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
#New order.(08421) RABIE.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 05:16:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/44db5a76-5a23-4e06-95c6-57ab33bef9c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177379/
Detection(s):
SecuriteInfo.com.Artemis493DC3802CAD.31762.9206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/849d0193-acf2-4681-9477-5bdc089437c5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829141
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6fbf92e7feb171af3ba08bfc6a87cdd5f6226a2b7a38c3b586fc677464774974/
Threat name:
Win32.Spyware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 23:28:23 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n67zfz76wfy26o5arp6gvb6n2x3ce2rlpi4mhnmg7rtxizdxjf2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
306e5b34b75ce392b55691abcda73d75d7f8717e286cadc36c5582c7ebde621b
AgentTesla
4e7247eb168024ba9ae235793ec27cbf576eaa5fc0ba2ace93ce5465336311f1
AgentTesla
67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e
AgentTesla
6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408
AgentTesla
84aff154ff6475dfe98c65e5650ed5e63a219d4af2c0cad67daae9d4ad014878
AgentTesla
8c3ab165a5d5df357187a6ed4794e840be930b784b75055abe8e8cae2a772e32
AgentTesla
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
AgentTesla
ddefd092e02315db3ca66038a91523ad7b0cfb8d0a285c2cbb08e165067448d1
AgentTesla
e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12
AgentTesla
+ 8'029 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210809-63y6bmwwwn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d27726cc404cd8e8b7b78deef53bd3775a6aed8a155acfb98020bf56c5c7e838
MD5 hash:
c17bc59afd26c6dae36e829d795a0946
SHA1 hash:
ff4ce3457dedf0814d51fe55742d3f4600abf8e7
Link:
https://www.unpac.me/results/3e957987-99f2-49c5-a56d-84e1ca16c8f6/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/3e957987-99f2-49c5-a56d-84e1ca16c8f6/
SH256 hash:
ea25ab3a8345b5af6b7b73f1eb1de8b23fd133d25d2cd6daf4c79c2784be9a88
MD5 hash:
11e6e92ed67d64e8b5232ba9eaaf01aa
SHA1 hash:
39e019c765539e5fb817e3f01cdd3e558d1bbe3c
Link:
https://www.unpac.me/results/3e957987-99f2-49c5-a56d-84e1ca16c8f6/
SH256 hash:
6fbf92e7feb171af3ba08bfc6a87cdd5f6226a2b7a38c3b586fc677464774974
MD5 hash:
493dc3802cad640021e2a78ba2bd270c
SHA1 hash:
c79f9d5a3953db71e44a89a5185abf81586ce812
Link:
https://www.unpac.me/results/3e957987-99f2-49c5-a56d-84e1ca16c8f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fbf92e7feb171af3ba08bfc6a87cdd5f6226a2b7a38c3b586fc677464774974

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177379/

Comments