MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc6f36bfe1cfe3f15eeb51691e0c4127907aa9ae9908b0fda4b8709bbde4c102. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	bc6f36bfe1cfe3f15eeb51691e0c4127907aa9ae9908b0fda4b8709bbde4c102
SHA3-384 hash:	e8bb3d1007d4c0d9129774e08ee0baaf7281c3f2dd888eda176d651dc688f2b373b7655cb603cfaf2a738e5790246b5f
SHA1 hash:	3751ace9a1b9dd67bf385ba9a7c0b46b89cef93e
MD5 hash:	56c0ce176dc175ba8fed092c913e4680
humanhash:	iowa-wolfram-delaware-july
File name:	CD737904^^^PDF.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'081'512 bytes
First seen:	2022-06-23 10:56:03 UTC
Last seen:	2022-06-23 12:17:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'654 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	24576:lSzGSYw1Gh5a9wVDmkDgNTW5FhC2FOq5k/lRO:IzrJiOqHtC+OQk/lRO
TLSH	T1213502203B2C4796D4C94F73AD019B6B8DBE15E73A3C1D45B680AF6839832E793C5A4D
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f8d8d0f0c0d0c0c0 (11 x AveMariaRAT, 10 x AgentTesla, 9 x Formbook)
Reporter	pr0xylife
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/282609/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

83%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/62b44702e88d6da4ffbf18e6/reports/50464349-395a-4713-983f-56e2627719bb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc014586-5c5d-4f6d-8037-101ff861e951

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1018571

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Obfuscated command line found

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/bc6f36bfe1cfe3f15eeb51691e0c4127907aa9ae9908b0fda4b8709bbde4c102/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2022-06-23 03:35:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 41 (26.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xrxtnp7bz7r7cxxlkfur4dcbe6ihvknoteelb7nexbyjxppeyeba._file

Verdict:

malicious

Label(s):

agenttesla

avemaria

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:agenttesla family:warzonerat collection infostealer keylogger persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/220623-m18xracfdq/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

AgentTesla

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

45.162.228.171:26112

Unpacked files

SH256 hash:

b8fc776f094cdfff9e2e4bf4ed49b959e0bd17a59ad58647822286586dc536d8

MD5 hash:

b7afa1d481d3ffdbafe850b7c4a309cd

SHA1 hash:

210ecbadc0c61c981dcb6c101c4c4ef22fcacab0

Link:

https://www.unpac.me/results/5876f634-7306-4db8-9cff-4eaa6055baa2/

SH256 hash:

43bd41c88f4794009ca73e4d24beb4123c94e55eac947782784297488685818c

MD5 hash:

e07a561b256119a8e51d258b7e7b0427

SHA1 hash:

ae7d1babade43dc92acb485717d02f5b5d0370c6

Link:

https://www.unpac.me/results/5876f634-7306-4db8-9cff-4eaa6055baa2/

SH256 hash:

bc6f36bfe1cfe3f15eeb51691e0c4127907aa9ae9908b0fda4b8709bbde4c102

MD5 hash:

56c0ce176dc175ba8fed092c913e4680

SHA1 hash:

3751ace9a1b9dd67bf385ba9a7c0b46b89cef93e

Link:

https://www.unpac.me/results/5876f634-7306-4db8-9cff-4eaa6055baa2/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bc6f36bfe1cf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/bc6f36bfe1cfe3f15eeb51691e0c4127907aa9ae9908b0fda4b8709bbde4c102

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/282609/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample