MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be6eddee7716fd87a1ff8c8b407bc3895b6acb165ecbaec087f1ebc4914d438c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be6eddee7716fd87a1ff8c8b407bc3895b6acb165ecbaec087f1ebc4914d438c
SHA3-384 hash: 74e61c4466f4cb5637596e624affaf78734d700e4ee8dc892a220e80416a03c9c2c1f3f95c86094c88ead1008ab6ff49
SHA1 hash: 5accb3182865a75312a64e87431278f1072b81ca
MD5 hash: 17a3633b6f0ddc4b4429163f3469fa81
humanhash: wisconsin-cola-blossom-florida
File name:SecuriteInfo.com.Win32.CrypterX-gen.12100.1746
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'039'360 bytes
First seen:2022-12-02 06:27:45 UTC
Last seen:2022-12-03 08:17:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:MwmIyhLfp/sVfdcYjBpxInkHKnnM4gngscPUYZYq0FCblKqQjL9QzX7BIBi8pV4c:9mBhS7uIKnMTXJu6UxKLjJQ5B8pnzTx
Threatray 21'149 similar samples on MalwareBazaar
TLSH T1D425CFE623949C93DA487D7F4E8DA58E327F15F3DEFE91C81D48B94116B66198E00EC0
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.12100.1746
Verdict:
Malicious activity
Analysis date:
2022-12-02 06:29:27 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/63250f16-fe7a-47ab-8f86-d9f3e9a55a22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341756/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.12100.1746.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63899af3579915b6b30401d3/reports/6bcaadd5-e778-4f33-b5db-453e1258e9e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9adf65c-16a0-4b26-80e1-a88a2933959f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126307
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 759031 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 02/12/2022 Architecture: WINDOWS Score: 100 49 api.telegram.org 2->49 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 11 other signatures 2->61 8 SecuriteInfo.com.Win32.CrypterX-gen.12100.1746.exe 6 2->8         started        12 VMqTMMD.exe 5 2->12         started        14 CpRpiOTi.exe 5 2->14         started        16 VMqTMMD.exe 2->16         started        signatures3 process4 file5 43 C:\Users\user\AppData\Roaming\CpRpiOTi.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\Local\Temp\tmp8F0.tmp, XML 8->45 dropped 47 SecuriteInfo.com.W....12100.1746.exe.log, ASCII 8->47 dropped 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 18 SecuriteInfo.com.Win32.CrypterX-gen.12100.1746.exe 17 6 8->18         started        23 schtasks.exe 1 8->23         started        79 Machine Learning detection for dropped file 12->79 81 Injects a PE file into a foreign processes 12->81 25 VMqTMMD.exe 12->25         started        27 schtasks.exe 12->27         started        29 CpRpiOTi.exe 14->29         started        31 schtasks.exe 14->31         started        signatures6 process7 dnsIp8 51 api.telegram.org 149.154.167.220, 443, 49715, 49721 TELEGRAMRU United Kingdom 18->51 39 C:\Users\user\AppData\Roaming\...\VMqTMMD.exe, PE32 18->39 dropped 41 C:\Users\user\...\VMqTMMD.exe:Zone.Identifier, ASCII 18->41 dropped 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->63 65 Tries to steal Mail credentials (via file / registry access) 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 33 conhost.exe 23->33         started        53 192.168.2.1 unknown unknown 25->53 69 Tries to harvest and steal ftp login credentials 25->69 71 Tries to harvest and steal browser information (history, passwords, etc) 25->71 35 conhost.exe 27->35         started        37 conhost.exe 31->37         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be6eddee7716fd87a1ff8c8b407bc3895b6acb165ecbaec087f1ebc4914d438c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 06:28:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzxn33txc36ypip7rsfua66drfnwvsywl3f25qeh6hv4jeknioga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
740b8d98eca229f6873a327b046f509c7228ae9e7cf2acabfc43aa5c0e0d5d9d
AgentTesla
79fe46d2be00c4f28ed865d1fec837d8d34d16fdaf74b901d05018dc03e67686
AgentTesla
c21b4eb23258262e9effc08936edf4422c2c5a1affb42985a80409654c7d07b0
AgentTesla
dcc60226dc95db85e94d9e78b8af2ccb0bb0b201af107999e315ea01cbe52475
AgentTesla
ebb86221b5c4336e8155321c3ef818e39e38c981227b768433d107ba6aa3bd69
AgentTesla
f868f3057893355c8d428e09de48c4ccd89e8faf57b889b5c046ecd0bd5cd755
AgentTesla
+ 21'139 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221202-g8cxdsef5x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2cbb6bd9-cb62-46ce-ba7d-a61a0ac4a26e
Unpacked files
SH256 hash:
063bbde31b50d35721a3a94ccc476690f65d26eb3d24a7b598e9ffeb59b3cc12
MD5 hash:
ad7222cca9c844a38ea472fc1d645fda
SHA1 hash:
826e095e8289cfc72a617aaead18810a1fee7793
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/3942d9d4-7105-47f4-bb87-8ebcef4d193a/
Parent samples :
663796a5ce4127446f60d77bca21aee44037d4c0eaf3b14449f4a54ecb359428
df4eed6b429eba0c7fe96cce25b317efe39b46a443574f1d0aa9445da22f0ac2
9dfdb5048599b1083fe534cf5fe5a0440d71eb74b5497e506f0a0a4c23821f40
be6eddee7716fd87a1ff8c8b407bc3895b6acb165ecbaec087f1ebc4914d438c
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/3942d9d4-7105-47f4-bb87-8ebcef4d193a/
SH256 hash:
37acd4a58f93f2e4e548a74deed732a7d396aba9825615233b015f2e029c7e32
MD5 hash:
421ace6bd25b706cc05bb0c78d0f0fb1
SHA1 hash:
6452faa5cf2a33dc8f09a055193c20d1892249ca
Link:
https://www.unpac.me/results/3942d9d4-7105-47f4-bb87-8ebcef4d193a/
SH256 hash:
be6eddee7716fd87a1ff8c8b407bc3895b6acb165ecbaec087f1ebc4914d438c
MD5 hash:
17a3633b6f0ddc4b4429163f3469fa81
SHA1 hash:
5accb3182865a75312a64e87431278f1072b81ca
Link:
https://www.unpac.me/results/3942d9d4-7105-47f4-bb87-8ebcef4d193a/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be6eddee7716/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be6eddee7716fd87a1ff8c8b407bc3895b6acb165ecbaec087f1ebc4914d438c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/341756/

Comments