MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
SHA3-384 hash: 05bbd01a2c75c44b1eaf32ba6130beebf58341f2766498b65d2d6ca4467d51f77d81f8eb8ddb9ed76bbc5575a04b5d69
SHA1 hash: 2ed5b88167919c7b6f70fb8265163d37b0815beb
MD5 hash: 80a9f5a1f01d4716c15bcdc8d025a8b2
humanhash: tango-earth-social-uniform
File name:6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:187'392 bytes
First seen:2023-10-04 20:09:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:nY4shH8UwcfkH+LGP34ouKerVUzeeDXbwa21Dv9ua/aHyvEbd2iY:nY4GH8UR2bwv
Threatray 1'631 similar samples on MalwareBazaar
TLSH T19704074977F4490AF9BE6B3248714C5963B0E4925923EB0D4FC284E95B33780CD9BBA7
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter vovaan
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de.exe
Verdict:
Malicious activity
Analysis date:
2023-10-05 06:58:22 UTC
Tags:
evasion agenttesla stealer nanocore
Link:
https://app.any.run/tasks/dcae6dfa-ffd9-4614-8585-0142cfe78665

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.AgentTesla-6952874-1
Create hunting rule

Win.Dropper.Razy-6519812-0
Create hunting rule

Win.Malware.Barys-6820546-0
Create hunting rule

Win.Packed.Barys-6841771-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Moving of the original file
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint fingerprint infostealer lolbin packed packed replace shell32 stealer stealer
Link:
https://www.filescan.io/uploads/651dc69df5e3ca1b01620d52/reports/976628af-d376-4b98-844e-cb049856ac24/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/816dc6fe-4da6-4e64-89c9-1a41c0f9d786
Result
Threat name:
Agent Tesla, Nanocore, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319749
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Detected Agent Tesla keylogger
Detected Nanocore Rat
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1319749 Sample: YdoQjaN9Nm.exe Startdate: 04/10/2023 Architecture: WINDOWS Score: 100 47 checkip.dyndns.org 2->47 49 mailhosting.click 2->49 51 2 other IPs or domains 2->51 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 14 other signatures 2->69 9 YdoQjaN9Nm.exe 16 20 2->9         started        14 rbwggplluqq.exe 2->14         started        16 rbwggplluqq.exe 2->16         started        signatures3 process4 dnsIp5 53 132.226.8.169, 49700, 80 UTMEMUS United States 9->53 55 193.122.130.0, 80 ORACLE-BMC-31898US United States 9->55 57 3 other IPs or domains 9->57 41 C:\Users\user\AppData\Local\Temp\Update.exe, PE32 9->41 dropped 79 Detected Agent Tesla keylogger 9->79 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->81 83 Moves itself to temp directory 9->83 93 5 other signatures 9->93 18 Update.exe 18 9->18         started        85 Antivirus detection for dropped file 14->85 87 Multi AV Scanner detection for dropped file 14->87 89 Detected Nanocore Rat 14->89 95 2 other signatures 14->95 22 rbwggplluqq.exe 3 14->22         started        91 Maps a DLL or memory area into another process 16->91 24 rbwggplluqq.exe 2 16->24         started        26 rbwggplluqq.exe 16->26         started        file6 signatures7 process8 file9 39 C:\Users\user\AppData\Local\Temp\sagob.exe, PE32 18->39 dropped 71 Antivirus detection for dropped file 18->71 73 Multi AV Scanner detection for dropped file 18->73 28 sagob.exe 1 2 18->28         started        75 Detected Nanocore Rat 24->75 77 Detected Agent Tesla keylogger 24->77 signatures10 process11 file12 43 C:\Users\user\AppData\...\rbwggplluqq.exe, PE32 28->43 dropped 97 Antivirus detection for dropped file 28->97 99 Multi AV Scanner detection for dropped file 28->99 101 Detected unpacking (creates a PE file in dynamic memory) 28->101 103 4 other signatures 28->103 32 sagob.exe 8 28->32         started        signatures13 process14 dnsIp15 45 194.180.48.119, 4444, 49713, 49714 LVLT-10753US Germany 32->45 37 C:\Users\user\AppData\Roaming\...\run.dat, International 32->37 dropped 59 Detected Nanocore Rat 32->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 22:08:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
31 of 38 (81.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7svwzk7ytgtwuoicpry35cbmz225anlbtjqhyk7lep5oscg7hpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
3d36a06552f24dc4a5ac3a4d9594e30dee088c95c1139b6e2d1374130d9065d9
AgentTesla
62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460
AgentTesla
a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73
AgentTesla
b125d23b3416c85b1f35d0d2f6d0f9aee2f1d905af6c79f39a9d6486033a6a45
AgentTesla
b330d142b19023e73d7f9d5f5c9dbb2f9ca450c36c038512cb11c1b0bd7bb593
AgentTesla
d3a2000ec18ab94aa8dbb5eef9360c6048ea3066d165fba1d9ca219ba5780385
AgentTesla
eaba2822cfb7a52fc240d9b6f32cae1f98a51cfbd47ae45bddf17134a464f6cc
AgentTesla
+ 1'621 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore collection evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231004-yxn9qagf83/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
NanoCore
Malware Config
C2 Extraction:
194.180.48.119:4444
Unpacked files
SH256 hash:
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
MD5 hash:
80a9f5a1f01d4716c15bcdc8d025a8b2
SHA1 hash:
2ed5b88167919c7b6f70fb8265163d37b0815beb
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/eefc16ea-92e2-4ce4-8ecc-109a270dea02/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6fe55b655fc4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:AgentTesla_mod_tough_mem
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:agent_tesla
Create hunting rule
Author:Stormshield
Description:Detecting HTML strings used by Agent Tesla malware
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments