MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6cbc998b74e0bbf41c6c9c56dc44e767be5b94e6459eb572c23a595ce652d43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6cbc998b74e0bbf41c6c9c56dc44e767be5b94e6459eb572c23a595ce652d43
SHA3-384 hash: 430b773fa60b460357cb88e9489de1b0d52674ce9a4503e0a946fb7e0444c63f49c69b32690fd465128817d491c2d397
SHA1 hash: 1e5e4fbde61198cfcaf8559bb22d295f05df5b43
MD5 hash: b61e85ad188d2067fc27cb0e6d08e5e5
humanhash: bakerloo-bravo-uranus-wyoming
File name:documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:326'935 bytes
First seen:2022-05-24 16:27:00 UTC
Last seen:2022-05-24 17:40:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55f3dfd13c0557d3e32bcbc604441dd3 (124 x Formbook, 18 x Loki, 13 x AgentTesla)
ssdeep 6144:B0Yy/EsW3aIkiQW1GAxehO78w1UOdeKDqz4meuA4IajUXCWUWo8:UEsoXn1GCeW1UOtqz4mePven8
Threatray 18'699 similar samples on MalwareBazaar
TLSH T1D264121635C299BEC10B7CF208FD5B27F6FF36140560261F0B405FAAB5266C1AE792DA
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
385
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
documents.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 16:35:21 UTC
Tags:
installer agenttesla
Link:
https://app.any.run/tasks/0dd00a3c-0d28-4724-9aea-8c01e214bdda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274189/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Reading critical registry keys
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Changing the hosts file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/628d0793054dcf0ecae85555/reports/8ed6abe6-62bd-4a8c-8070-49dc3839f18c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3b98e25-ef8d-4861-89f5-24ee475d76fa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000860
Signature
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633353 Sample: documents.exe Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 4 other signatures 2->34 7 documents.exe 19 2->7         started        process3 file4 18 C:\Users\user\AppData\Local\...\ftqdzswrd.exe, PE32 7->18 dropped 10 ftqdzswrd.exe 7->10         started        process5 signatures6 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->38 40 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->40 42 Injects a PE file into a foreign processes 10->42 13 ftqdzswrd.exe 2 3 10->13         started        process7 dnsIp8 22 subnet-group.com 206.189.39.129, 49758, 587 DIGITALOCEAN-ASNUS United States 13->22 24 192.168.2.1 unknown unknown 13->24 26 mail.subnet-group.com 13->26 20 C:\Windows\System32\drivers\etc\hosts, ASCII 13->20 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->44 46 Tries to steal Mail credentials (via file / registry access) 13->46 48 Tries to harvest and steal ftp login credentials 13->48 50 2 other signatures 13->50 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c6cbc998b74e0bbf41c6c9c56dc44e767be5b94e6459eb572c23a595ce652d43/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 16:27:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3f4tgfxjyf36qogzhcw3rcooz56lokomrm6wvzmeoszlttffvbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0918c0111b97f8a25e9717e9b74a96c85e9f3801e2922bb050e8024edf9adff0
AgentTesla
4303985ee7b44ba9c01edd967873f8b12df0dcd267f48df10962b3368e01ff82
AgentTesla
6a0cdf63baad32236d845d0027822d4e9c67ac4f9bddd9933ada09f9811dbca5
AgentTesla
6ac706b6fe1af38091271422e7b896393f32f34924e84f15ac296d837ce56605
AgentTesla
d3e50ef8f29f78a2bff3ddf40d6eb7a25986a549beba200ad9ff678dad816279
AgentTesla
dd0bdbd65d12a9ee3c2aea6c16ca0a6bf913d09a72385bfda2b1d8a6e1011436
AgentTesla
+ 18'689 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220524-tx3pwshea8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
ded6c282b20481d28e33070ceb1d8c90d71e42e07bff8796331425f4217f6cc0
MD5 hash:
e05649b56a929983afb9091ca7c90416
SHA1 hash:
baf1ce67f204e658103c9c1d55674c9ee130bf6a
Link:
https://www.unpac.me/results/a1d584ad-b0b5-4b0a-8496-797dee049568/
SH256 hash:
c6cbc998b74e0bbf41c6c9c56dc44e767be5b94e6459eb572c23a595ce652d43
MD5 hash:
b61e85ad188d2067fc27cb0e6d08e5e5
SHA1 hash:
1e5e4fbde61198cfcaf8559bb22d295f05df5b43
Link:
https://www.unpac.me/results/a1d584ad-b0b5-4b0a-8496-797dee049568/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6cbc998b74e0bbf41c6c9c56dc44e767be5b94e6459eb572c23a595ce652d43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c6cbc998b74e0bbf41c6c9c56dc44e767be5b94e6459eb572c23a595ce652d43

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274189/

Comments