MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6a7e17e7a419a7627495bda74f392db350508a36cc2a089342374e343fe0a06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6a7e17e7a419a7627495bda74f392db350508a36cc2a089342374e343fe0a06
SHA3-384 hash: 4ebb239a788bd6248651786a03da79ee7c4a451815e9f0dc6cfd110a8e3d195108aba940464679280bcd4a344055d791
SHA1 hash: e5ef09c4ab6e03759d958ed1c5db9918fd538522
MD5 hash: dc40cd2f20db371a7ac68e08173cc9bf
humanhash: happy-carolina-burger-delaware
File name:SecuriteInfo.com.Gen.Variant.Nemesis.1826.15890.27083
Download: download sample
Signature AgentTesla
Create hunting rule
File size:339'425 bytes
First seen:2022-11-09 12:55:55 UTC
Last seen:2022-11-10 18:52:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 6144:zEa0kE1Mz9Hlh06zxo+InLSHhu+vBhWUJx8KWf5G:9E1UHn0Kxo+InAuuXx8KS5G
Threatray 21'278 similar samples on MalwareBazaar
TLSH T13274124303B068EBD9631EBD412D955AC77ADB0612E22B0B63ED5F2BED73603561814E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6cc0d0d0d8cce4c0 (1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.1826.15890.27083
Verdict:
Malicious activity
Analysis date:
2022-11-09 13:13:15 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/a726bd7a-a9d9-450f-8070-2363222dc8db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331208/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.1826.15890.27083.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a window
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50522/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/636ba3637662ecf1083972dd/reports/aea71f76-a268-4a7d-91fe-1ad48413cf3f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fa87c72-6388-4281-8d89-aba90b9a5a57
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109297
Signature
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6a7e17e7a419a7627495bda74f392db350508a36cc2a089342374e343fe0a06/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 09:59:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2t6c7t2ignhmj2jlpnhj44s3m2qkcfdntbkbcjuen2ogq76bida._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
32ce4af90555f219552a1045072569278b801900a324a80d4415d59d1131e117
AgentTesla
3ab18149a4d122fc88ef77a284d9c8a910aa86b91634d5eadfcce6dbbfebe6f6
AgentTesla
45340696f311075cbef1929f4ce534aaa3b872e75f15a9d538ba7cd4f45b717d
AgentTesla
53339c5cdab615030a4c2590e24fff630950bd67efa0befc029cb65c1621ecfb
AgentTesla
61881ceb156b1061749e30c9e396bf12e94abedaebfe0acc723666c3f58e5ada
AgentTesla
be82b725c643ac9d30a503f2fd615d9bcd38ed9f0edbe53082d5743ded65e327
AgentTesla
c05b7b394c6fd0211f67dae500bd48d89b0ce2d16ff2088ca657b1fed475599d
AgentTesla
d33c04a958e132c539ad530e9c12e03e0fb9243928307bbb660b6179676d166c
AgentTesla
+ 21'268 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221109-p6cgvaafap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
a4e8315c48c26253d7a1ee2bf3d9406a27cc68326af85334d276eb4d956389db
MD5 hash:
b420fcf7f57aed04aa5898b83622d6c9
SHA1 hash:
d5e9300ee765047b75a259ff75bb7f961cfa18fb
Link:
https://www.unpac.me/results/ab152974-8aa4-4673-aed0-766c003edf7e/
Parent samples :
330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91
435ce1e9404ae789d2a1a33e57f602f4bdfd6bb08c49826699ca23da5a117c70
58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb
feb004eece446b55f9084f8eb1ef78f3629943b6978a7fcd1179a64d14477255
SH256 hash:
a1e687dde75265a6efd76ea081c9107d3c4f653045cc2a9896e8ff966a12460c
MD5 hash:
a4526ace3d2e8a234256cd89de918def
SHA1 hash:
bc3f5473e4e3389be3ec86dadc1420e019f7f0c7
Link:
https://www.unpac.me/results/ab152974-8aa4-4673-aed0-766c003edf7e/
SH256 hash:
c35b2b5865070d42b7159e4feaf7a707bb4cffad35713f5a4fabfda734171430
MD5 hash:
b4c317a4b9df3b3aba8b5a78a5751df0
SHA1 hash:
6d0a63f2023273f911ee9bac3461729f233c21f4
Link:
https://www.unpac.me/results/ab152974-8aa4-4673-aed0-766c003edf7e/
SH256 hash:
b6a7e17e7a419a7627495bda74f392db350508a36cc2a089342374e343fe0a06
MD5 hash:
dc40cd2f20db371a7ac68e08173cc9bf
SHA1 hash:
e5ef09c4ab6e03759d958ed1c5db9918fd538522
Link:
https://www.unpac.me/results/ab152974-8aa4-4673-aed0-766c003edf7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6a7e17e7a419a7627495bda74f392db350508a36cc2a089342374e343fe0a06

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331208/

Comments