MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be6c4e37f023ce184bec96fd9588fed31af835599ec5d1432a69e2c00401a6be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be6c4e37f023ce184bec96fd9588fed31af835599ec5d1432a69e2c00401a6be
SHA3-384 hash: 00934fde2754ba99168702151044161acdf8aaa4ceceaa63e1c99eca9391288fa1c2aca5830c30dd0526623e854c1394
SHA1 hash: abbcc76e8de5708937ecc5e32bb67bfa1f5447dd
MD5 hash: 7c780d099c75d037bdd9082075a526ef
humanhash: pennsylvania-yankee-five-london
File name:Gönderilen ödemeyi onaylayın-2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:195'584 bytes
First seen:2023-09-11 15:17:03 UTC
Last seen:2023-09-11 15:36:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:Go1RjNs77l1EgwgRg/CWPi+TwHIcH+FCjUY1nl7xtsqDhelDrmklQr3kmI7SmfN:R1jsfDEglgaWPiboYVjUY1nl7xtsqDh0
Threatray 5'640 similar samples on MalwareBazaar
TLSH T18714D613B79B99B2C28B173BD6DB49000374D981A293DB4A3ACA13EA08C77F79D45747
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Gönderilen ödemeyi onaylayın-2.exe
Verdict:
Malicious activity
Analysis date:
2023-09-11 15:24:20 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/2feba596-b969-475b-a6c0-e716a3cb6aa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447998/
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.13855.26288.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin packed replace
Link:
https://www.filescan.io/uploads/64ff2fab86964ed9c61a1e0f/reports/0f56a7b9-4c7c-4ded-ac97-3a407feef421/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/be6c4e37f023ce184bec96fd9588fed31af835599ec5d1432a69e2c00401a6be
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed5e7106-c755-4db6-87ed-05bdbb212c69
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307413
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307413 Sample: G#U00f6nderilen_#U00f6demey... Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Yara detected AgentTesla 2->48 50 6 other signatures 2->50 7 G#U00f6nderilen_#U00f6demeyi_onaylay#U0131n-2.exe 15 6 2->7         started        12 wscript.exe 1 2->12         started        process3 dnsIp4 30 web.fe.1drv.com 7->30 32 public.ch.files.1drv.com 7->32 34 2 other IPs or domains 7->34 24 C:\Users\user\AppData\...\Drlhqfefjp.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\Drlhqfefjp.vbs, ASCII 7->26 dropped 56 Drops VBS files to the startup folder 7->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->58 60 Writes to foreign memory regions 7->60 64 2 other signatures 7->64 14 aspnet_compiler.exe 14 2 7->14         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 18 Drlhqfefjp.exe 14 5 12->18         started        file5 signatures6 process7 dnsIp8 36 discordapp.com 162.159.135.233, 443, 49730, 49746 CLOUDFLARENETUS United States 14->36 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->66 68 Tries to steal Mail credentials (via file / registry access) 14->68 38 web.fe.1drv.com 18->38 40 public.ch.files.1drv.com 18->40 42 2 other IPs or domains 18->42 70 Machine Learning detection for dropped file 18->70 72 Writes to foreign memory regions 18->72 74 Allocates memory in foreign processes 18->74 76 Injects a PE file into a foreign processes 18->76 20 aspnet_compiler.exe 2 18->20         started        signatures9 process10 dnsIp11 28 discordapp.com 20->28 52 Tries to steal Mail credentials (via file / registry access) 20->52 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be6c4e37f023ce184bec96fd9588fed31af835599ec5d1432a69e2c00401a6be/
Threat name:
Win32.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 15:18:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzwe4n7qephbqs7ms36zlch62mnpqnkzt3c5cqzknhrmababu27a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
327f487c6ed34bbfc7d0541d081129d7b4bc4a6e071ed7750e9817da24d5a523
AgentTesla
42678776f6a08cb68c1e82ca815633a8397b10efd22fbbefd61f67d2506d1f49
AgentTesla
4d5bf61908d4cedb7b9f4dc857e4c469f8feb1b7bdb4cd6190c68fe5ed9abeaa
AgentTesla
547ef38e3cb8d7e87dd274ab818ebe3d52f2054dde4aaab7c51e5aa3780d0c1f
AgentTesla
5dd81b46f9b2a310868ab2b1ea4d61619ab039d8d19e8abff4a559930be4fe19
AgentTesla
67a1d95ac501b3239795c12bdebe20853519e92810d5124bff570a5f9001d440
AgentTesla
793e60744aa163e0da636233df2fc83f43d447cddf4a89b28ff15a0ca95e69f9
AgentTesla
9bee15aa43bcdb1c361ba488354de254e7860b9f006ad7ce7602adc6d7667e62
AgentTesla
a3a30f5a6bcfcd96305e17acaba93ceb8e59b484e7ec4b9dbf0d8db7ccde01ff
AgentTesla
b944f0cf50ef8d58b8cb7bc4f3777cbf4c9e6b8017b7ac67546b89677d831441
AgentTesla
+ 5'630 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230911-splkzaha35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
AgentTesla
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1150569545115893760/CjsiQWjSoCFkLk8IsGwaVU7lHuAInmY-6JL0nAOwy87AleYMNbqTZCoNvto3BexNyX68
Unpacked files
SH256 hash:
be6c4e37f023ce184bec96fd9588fed31af835599ec5d1432a69e2c00401a6be
MD5 hash:
7c780d099c75d037bdd9082075a526ef
SHA1 hash:
abbcc76e8de5708937ecc5e32bb67bfa1f5447dd
Link:
https://www.unpac.me/results/16589aa5-cc69-4fe7-8654-f5d5e00b15f4/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be6c4e37f023/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be6c4e37f023ce184bec96fd9588fed31af835599ec5d1432a69e2c00401a6be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe be6c4e37f023ce184bec96fd9588fed31af835599ec5d1432a69e2c00401a6be

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/447998/

Comments