MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc86551645d7003062e0a3ee5516181b7a93d4fb5cae757222ad267bceedd208. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc86551645d7003062e0a3ee5516181b7a93d4fb5cae757222ad267bceedd208
SHA3-384 hash: 429f7edb15b31d2949f970ce371700a7a0f2c3854e02ca6ad5d601708221db417997626bd4129e0aedb6a4ab065f8419
SHA1 hash: 06840295d72e29dd16b50b102ba51fe43cbb5921
MD5 hash: 53e7001169487e7d4469285c10c6940f
humanhash: papa-mobile-diet-comet
File name:XmkNl6qlWsSSkIM.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:778'752 bytes
First seen:2021-08-26 04:35:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:9KAaJAT+G9S+wp4sVSKluhdKNKXxLXC2TQpK7pX:uATZzwp4sVSKyd0M1dp
Threatray 8'958 similar samples on MalwareBazaar
TLSH T139F48C54D9CCBC9AD44B2C77A47DF0382805FB4A967BD9AA1A59790660B33C3306BF0D
dhash icon d4b0aa8b8bae9edc (7 x Formbook, 7 x Loki, 5 x AgentTesla)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
XmkNl6qlWsSSkIM.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 04:35:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c8f062f-296f-465c-ae49-ed85449b6831

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182466/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b920215e-b74a-47cf-aa29-4dc55ffb0b2a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839457
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471888 Sample: XmkNl6qlWsSSkIM.exe Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 4 other signatures 2->49 6 XmkNl6qlWsSSkIM.exe 3 2->6         started        10 NXLun.exe 3 2->10         started        12 NXLun.exe 2 2->12         started        process3 file4 23 C:\Users\user\...\XmkNl6qlWsSSkIM.exe.log, ASCII 6->23 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 55 Injects a PE file into a foreign processes 6->55 14 XmkNl6qlWsSSkIM.exe 2 5 6->14         started        57 Multi AV Scanner detection for dropped file 10->57 19 NXLun.exe 2 10->19         started        21 NXLun.exe 2 12->21         started        signatures5 process6 dnsIp7 31 priserveinfra.com 50.31.160.189, 49718, 587 SERVERCENTRALUS United States 14->31 33 mail.priserveinfra.com 14->33 25 C:\Users\user\AppData\Roaming\...25XLun.exe, PE32 14->25 dropped 27 C:\Users\user\...27XLun.exe:Zone.Identifier, ASCII 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 3 other signatures 14->41 29 C:\Windows\System32\drivers\etc\hosts, ASCII 21->29 dropped file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc86551645d7003062e0a3ee5516181b7a93d4fb5cae757222ad267bceedd208/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 03:54:12 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsdfkfsf24adayxaupxfkfqydn5jhvh3lsxhk4rcvuthxtxn2iea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1a7b47cb19815654a494cf57cd5f786d4e93137ecfff90371e9546b248c8b635
AgentTesla
3adf7ec52a2f641fcb6c6a7c686d637f4ce2b97645c135af0074792eb93f93cd
AgentTesla
7336a855a84f2f2d0f49c00a9ccdd993135369b15fa93fc429c31bdcdb002cf6
AgentTesla
931a752444d02c98b75e8062756baa88f000d0ccd2cc05044280fb0e9ed7771d
AgentTesla
9423b7f41de10ed83754fae0f0915001144922c927f51c36b94036a707a09f31
AgentTesla
c3b53b975599992a6454623d9c30a0340ced3d3738a1591b33f515eac7081dca
AgentTesla
+ 8'948 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210826-eph1hqp8r6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/9489ffbc-2abe-4fd9-b0d7-0b73231aa658/
SH256 hash:
e31f6764af07128172c5117fc7278b8de7c195b0e9ca65f1adfd88a8db80c23e
MD5 hash:
49ec6727a378a954b86e43fd5faafa7c
SHA1 hash:
a72942601ef6da2c0282e1ab6f49b2b8c667725f
Link:
https://www.unpac.me/results/9489ffbc-2abe-4fd9-b0d7-0b73231aa658/
SH256 hash:
d862565ee8157585c5df5edff83d050214508c7d0d522e03b9a086c0ba4d5ead
MD5 hash:
6ae4f30356817e67f6fe145ba2045c57
SHA1 hash:
7340e4c9531444cddf11e8d12057fcbce0285d68
Link:
https://www.unpac.me/results/9489ffbc-2abe-4fd9-b0d7-0b73231aa658/
SH256 hash:
cc86551645d7003062e0a3ee5516181b7a93d4fb5cae757222ad267bceedd208
MD5 hash:
53e7001169487e7d4469285c10c6940f
SHA1 hash:
06840295d72e29dd16b50b102ba51fe43cbb5921
Link:
https://www.unpac.me/results/9489ffbc-2abe-4fd9-b0d7-0b73231aa658/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc86551645d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/cc86551645d7003062e0a3ee5516181b7a93d4fb5cae757222ad267bceedd208

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cc86551645d7003062e0a3ee5516181b7a93d4fb5cae757222ad267bceedd208

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182466/

Comments