MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233
SHA3-384 hash: a1b98a564572a102d31ce2ac376ddd2f7d53d75ed9f686a387d2308f2427a3a74a0f38d6e86438412be7ce0376430d9a
SHA1 hash: e9e63e82f4eed1dce0e040f207c8ef0c09af2b63
MD5 hash: 2172bc5c6557c6ae931339bbc27cd7d9
humanhash: earth-idaho-arizona-white
File name:SecuriteInfo.com.Trojan.TR.Dropper.Gen.25466.31541
Download: download sample
Signature AgentTesla
Create hunting rule
File size:926'200 bytes
First seen:2023-07-21 00:28:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:x6NRZVS0ovFothkelJLU91BCLXQRW87sqD4j/K1Q:uZovFotTm91gQW8gqOb
Threatray 5'610 similar samples on MalwareBazaar
TLSH T1E7152391A3BC4C55DE35113754F2AD5142D29F8ABE139ACA2C9BBB71BB762C30C3C905
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f6f6c43673c96971 (7 x AgentTesla, 1 x Formbook)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.TR.Dropper.Gen.25466.31541
Verdict:
Malicious activity
Analysis date:
2023-07-21 00:29:39 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/620c9036-d78c-40c8-ad1d-bd0e5fa8f95d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/427244/
Detection(s):
SecuriteInfo.com.Trojan.TR.Dropper.Gen.11678.5363.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/50f27a64-101b-48c1-aa19-b73f68d69786
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277127
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277127 Sample: SecuriteInfo.com.Trojan.TR.... Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 6 Mvtgi.exe 5 2->6         started        9 SecuriteInfo.com.Trojan.TR.Dropper.Gen.25466.31541.exe 1 5 2->9         started        12 Mvtgi.exe 4 2->12         started        process3 file4 50 Antivirus detection for dropped file 6->50 52 Multi AV Scanner detection for dropped file 6->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->54 56 Machine Learning detection for dropped file 6->56 14 Mvtgi.exe 14 2 6->14         started        24 C:\Users\user\AppData\Roaming\Mvtgi.exe, PE32 9->24 dropped 26 C:\Users\user\...\Mvtgi.exe:Zone.Identifier, ASCII 9->26 dropped 28 SecuriteInfo.com.T...25466.31541.exe.log, ASCII 9->28 dropped 58 May check the online IP address of the machine 9->58 60 Injects a PE file into a foreign processes 9->60 18 SecuriteInfo.com.Trojan.TR.Dropper.Gen.25466.31541.exe 15 2 9->18         started        20 Mvtgi.exe 2 12->20         started        22 Mvtgi.exe 12->22         started        signatures5 process6 dnsIp7 30 192.168.2.1 unknown unknown 14->30 32 api.ipify.org 14->32 34 server1.sqsendy.shop 63.250.35.178, 49699, 49701, 49703 NAMECHEAP-NETUS United States 18->34 36 api4.ipify.org 173.231.16.76, 443, 49698, 49700 WEBNXUS United States 18->36 38 api.ipify.org 18->38 40 api.ipify.org 20->40 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->62 64 Tries to steal Mail credentials (via file / registry access) 20->64 66 Tries to harvest and steal browser information (history, passwords, etc) 20->66 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233/
Threat name:
Win32.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 23:19:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2wwkzfzutrkf56s27grgaa7kj35tqxm7a4csyi33hiowt6dwizq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2ad65e78905204a2813c619cd38632eeb99e111b5246dfb34558813ad442136e
AgentTesla
3999ae85e06577c12f54b2b716c659836945aa0ca246af9607d27a756f44d194
AgentTesla
449947dedfa89870f0f4d5dc86edc66c4656a6f94504167bbe4f803cd5c16076
AgentTesla
6a3bc2efcecdd25c5257e19e630b5785dc9e8ebb259773d40d2fc4c19e377285
AgentTesla
b2e3994ebb72e0dccce7114c073f2917889fa09a3036d21a0f7a8b715ea77a8d
AgentTesla
e5b3f5c88055487475981257a3146b756a653845e01c66141d3547192805a8f3
AgentTesla
e78333be3402a8425c18a63f6938fa2f861c877e362d6c679079c17d6ee18dd2
AgentTesla
fee59f311b2bd04aed3c5f40d7453366ceda8931de8e9dee2a64ef03823455ac
AgentTesla
+ 5'600 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230721-asxhjaca3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1ef4ccfd78a87c8e165c66dd4edde3fa2266b768b0323fc387de521bed5ef125
MD5 hash:
54e530a29705ed683b08e327a8ef2dd9
SHA1 hash:
df3a4f3583c6d933715ba493e82dfe946d735b88
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/09f8fc8a-dd5f-4f57-88de-4fdbe6807b63/
Parent samples :
c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233
c7728266367cb088e58dd7c5207e86c2c00a36a45e7267732bb5322af0fc82b2
16bac81cbed6b7de8ceb6634ea6c5777d2e2f5b255c781a68c47398bb7025ae0
3e6cf1f602231fd84bcf06af2a289436736182eb7f188ab0b02d9799d47a6eeb
SH256 hash:
c983b9f42854caa2b29cd7266b4783c78830e97a5c4135671d4ac014cc9979df
MD5 hash:
f080a1d6d9339fcc79a8061e07c91766
SHA1 hash:
3c555884b8891248909de464fad5111e1a7e42ba
Link:
https://www.unpac.me/results/09f8fc8a-dd5f-4f57-88de-4fdbe6807b63/
SH256 hash:
76f0e95baef52325c442a4b4b92f91996f9a79d845a6103bd79c0225c52ddd2a
MD5 hash:
b9a48deb8cd68ee4f19d9467bc20e380
SHA1 hash:
2599fa913d7c11e95d5e890afebbf260b68472de
Link:
https://www.unpac.me/results/09f8fc8a-dd5f-4f57-88de-4fdbe6807b63/
SH256 hash:
771d329ad2bdad783434b1109ab41f471160175f1d8ce483f8bf2d2b812bc539
MD5 hash:
3a6c7ac9fd127035a28a64211f69ff99
SHA1 hash:
0760c4c497e8485f310eb9f83d7b4799f2fd9fe9
Link:
https://www.unpac.me/results/09f8fc8a-dd5f-4f57-88de-4fdbe6807b63/
SH256 hash:
c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233
MD5 hash:
2172bc5c6557c6ae931339bbc27cd7d9
SHA1 hash:
e9e63e82f4eed1dce0e040f207c8ef0c09af2b63
Link:
https://www.unpac.me/results/09f8fc8a-dd5f-4f57-88de-4fdbe6807b63/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6ad6564b9a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427244/

Comments