MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10
SHA3-384 hash: 5b055c4d753b9b6c5b77e489aa068fb31313cba565546d4567fadff543395abf0bee1ec19354f73104bb0ea4167be384
SHA1 hash: 31268b1ac9bb83c698eadf5e74f65d58b12d2a50
MD5 hash: 66587368e39228edf1f6034794f17579
humanhash: montana-floor-river-bulldog
File name:66587368e39228edf1f6034794f17579.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:429'056 bytes
First seen:2021-06-25 07:10:01 UTC
Last seen:2021-06-25 08:13:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:C9Qh8CLJVPyw+dMkQcUPTps0sEhb5Zl/m9a:eQ6CLzyweeC0swb5eM
Threatray 3'813 similar samples on MalwareBazaar
TLSH 9794F11532F95729F1BBABF95AE071A14BFA71772612E44D0C8220CF1A63F40CD91AA7
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
66587368e39228edf1f6034794f17579.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 07:12:40 UTC
Tags:
trojan rat xpertrat stealer
Link:
https://app.any.run/tasks/276057e9-3908-4fd1-8ce7-e5e351ff2f77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168252/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.11400.11437.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f86065b5-742f-44d3-b929-44eaf941ffd0
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807967
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Disables user account control notifications
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440378 Sample: cyi3wfuqnV.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected XpertRAT 2->65 67 6 other signatures 2->67 9 cyi3wfuqnV.exe 3 2->9         started        13 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 3 2->13         started        15 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 2 2->15         started        17 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 2 2->17         started        process3 file4 47 C:\Users\user\AppData\...\cyi3wfuqnV.exe.log, ASCII 9->47 dropped 77 Detected unpacking (creates a PE file in dynamic memory) 9->77 79 Injects a PE file into a foreign processes 9->79 19 cyi3wfuqnV.exe 1 1 9->19         started        22 cyi3wfuqnV.exe 9->22         started        81 Multi AV Scanner detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 24 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 13->24         started        26 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 13->26         started        28 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 15->28         started        signatures5 process6 signatures7 69 Changes security center settings (notifications, updates, antivirus, firewall) 19->69 71 Disables user account control notifications 19->71 73 Writes to foreign memory regions 19->73 75 2 other signatures 19->75 30 iexplore.exe 3 8 19->30         started        process8 dnsIp9 53 mertrerfeyy.duckdns.org 195.133.40.193, 49734, 49735, 49736 SPD-NETTR Russian Federation 30->53 55 192.168.2.1 unknown unknown 30->55 49 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe, PE32 30->49 dropped 51 C:\...\J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4, data 30->51 dropped 57 Creates an undocumented autostart registry key 30->57 59 Creates autostart registry keys with suspicious names 30->59 35 iexplore.exe 30->35         started        37 iexplore.exe 30->37         started        39 iexplore.exe 1 30->39         started        41 4 other processes 30->41 file10 signatures11 process12 process13 43 WerFault.exe 35->43         started        45 WerFault.exe 37->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-25 00:48:56 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w24de36ve44quq2siilyw2sfvfz4iulnqmlgtttve7c5s7uqvmia._file
Verdict:
malicious
Similar samples:
065a971c432b0b52e8f26e693844feeee8811b2f09bab52ab98a3d9aa37da7cd
AgentTesla
5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b
AgentTesla
64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97
AgentTesla
7cc47c3cf5c707f9cfd18d0939807a15727834a4e08bbb6eae605d5f109bb77c
AgentTesla
c62470b8c29852980c3c6f0e56bd70593d696605ce7c817fb7124673327ee015
AgentTesla
d71dcb4033372c29718b4946805429deca50ecedde74e761784917d771dc6e87
AgentTesla
dae342e7ff601fc56257e1cc03a7eb9478d4215ba7bb2a5caaad4355bad886d6
AgentTesla
df0f8724a5cff12da65f785ffdba965eac4ccec51e5ff2c9338344aeb4e01a8b
AgentTesla
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
AgentTesla
fbde1d61f9e0db8f87e964e8cccbd8e4ea3b157119edafceb07a3dd7b54464ea
AgentTesla
+ 3'803 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat trojan upx
Link:
https://tria.ge/reports/210625-mghaxm8n22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Program crash
Windows security modification
Adds policy Run key to start application
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Unpacked files
SH256 hash:
3ea37c26b745ef05d15c889dd058f3b4dd49e78156c9f433f2d20884bc14f3ee
MD5 hash:
0713cf3ecf613fddae4d0f05d91469b6
SHA1 hash:
63c26a9131d22e8245a72fabd38c21bb560f8798
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/0759f10f-0255-4d9d-a5d8-3bf0682924f9/
Parent samples :
b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10
06febadb1cc71ef3987c339b7c862ea4cd32656c372c4f266cd1af68c355a0c0
SH256 hash:
dbe20229bc01ad7cc7f3019855cef4408836d978d36f895598d4532ef1e90729
MD5 hash:
53fdbbd4c528edeba0b8f8041b058036
SHA1 hash:
6e1650578b2b87f2b6be56b77e0ba9a851241178
Link:
https://www.unpac.me/results/0759f10f-0255-4d9d-a5d8-3bf0682924f9/
SH256 hash:
8571166d94db2485ca66fbf64a03cc76e2b9d3b954b76441c534ccb5069ed22f
MD5 hash:
a437453292a237915f0b514af0545e6b
SHA1 hash:
96220f3e7d12f00ba7a72d89ece3ee2e4578f4ef
Link:
https://www.unpac.me/results/0759f10f-0255-4d9d-a5d8-3bf0682924f9/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/0759f10f-0255-4d9d-a5d8-3bf0682924f9/
SH256 hash:
b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10
MD5 hash:
66587368e39228edf1f6034794f17579
SHA1 hash:
31268b1ac9bb83c698eadf5e74f65d58b12d2a50
Link:
https://www.unpac.me/results/0759f10f-0255-4d9d-a5d8-3bf0682924f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/168252/
  
URLhaus
https://urlhaus.abuse.ch/url/1150070/
  
Delivery method
Distributed via web download

Comments