MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf9821c4c08a6d62cbe17ebc6c0d6ea40336c145e8e9369fe76505e1d3dc8674. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf9821c4c08a6d62cbe17ebc6c0d6ea40336c145e8e9369fe76505e1d3dc8674
SHA3-384 hash: 5d6a2ddae89f62d058c9466ba1a735347638ca145dc8cde0280f16076b75ce2cb51995c080cefd297f845e56906fc38f
SHA1 hash: abdffd40fa438146bf70c6a217ac1b5b6180c5db
MD5 hash: 30d6dbbf3251ef47c856e64254ee5601
humanhash: winter-fifteen-bluebird-nine
File name:Re-Order06382.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'265'152 bytes
First seen:2022-06-30 01:03:00 UTC
Last seen:2022-06-30 01:42:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:QJiDbiPUq/nu8Wd7j7HJFl4ocgSpeL3ni0M6V5unQHKy+ghxnjSy1QImbS:QJybiPx/nlGdFloInDuQqyzRebS
TLSH T133451223A43CC1E6FA4D7DF09A0943A06ABA6D431A79F0ABC51FBDC6E873123C1561D4
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 59dadadcdcdad758 (26 x AgentTesla, 2 x AsyncRAT, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
62.197.136.167:1111

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.197.136.167:1111 https://threatfox.abuse.ch/ioc/738660/

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284449/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for files in the %temp% directory
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bcf684931c17b842b537f8/reports/2bcb64b6-9635-4913-a330-e6d4097d8a06/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7312a9cb-62f4-4d6f-8393-191f90a15f6a
Result
Threat name:
AgentTesla, AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022288
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 654786 Sample: Re-Order06382.exe Startdate: 30/06/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 14 other signatures 2->60 8 Re-Order06382.exe 1 8 2->8         started        12 excel.exe 2->12         started        14 excel.exe 2->14         started        16 2 other processes 2->16 process3 file4 42 C:\Users\user\AppData\...\Ruonvtkd.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\...\Vuzggmgebszs.exe, PE32 8->44 dropped 46 C:\Users\...\Ruonvtkd.exe:Zone.Identifier, ASCII 8->46 dropped 48 C:\Users\user\...\Re-Order06382.exe.log, ASCII 8->48 dropped 78 Encrypted powershell cmdline option found 8->78 80 Creates multiple autostart registry keys 8->80 82 Writes to foreign memory regions 8->82 84 Injects a PE file into a foreign processes 8->84 18 InstallUtil.exe 17 4 8->18         started        23 Vuzggmgebszs.exe 4 8->23         started        25 powershell.exe 15 8->25         started        86 Document exploit detected (process start blacklist hit) 12->86 88 Injects files into Windows application 12->88 27 conhost.exe 12->27         started        29 conhost.exe 14->29         started        signatures5 process6 dnsIp7 52 62.197.136.167, 1111, 49754, 49768 SPRINTLINKUS Netherlands 18->52 40 C:\Users\user\AppData\Local\...\excel.exe, PE32 18->40 dropped 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->64 66 Tries to steal Mail credentials (via file / registry access) 18->66 76 6 other signatures 18->76 68 Antivirus detection for dropped file 23->68 70 Machine Learning detection for dropped file 23->70 72 Encrypted powershell cmdline option found 23->72 74 Injects a PE file into a foreign processes 23->74 31 powershell.exe 23->31         started        33 Vuzggmgebszs.exe 23->33         started        36 conhost.exe 25->36         started        file8 signatures9 process10 dnsIp11 38 conhost.exe 31->38         started        50 127.0.0.1 unknown unknown 33->50 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf9821c4c08a6d62cbe17ebc6c0d6ea40336c145e8e9369fe76505e1d3dc8674/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 23:48:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6mcdrgarjwwfs7bp26gydlouqbtnqkf5dutnh7hmuc6du64qz2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat botnet:default collection keylogger persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220630-becrmsgda3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AgentTesla
AsyncRat
suricata: ET MALWARE AgentTesla Communicating with CnC Server
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
http://62.197.136.167/theme/inc/4ff2bf34e9fcdd.php
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1111
62.197.136.167:6606
62.197.136.167:7707
62.197.136.167:8808
62.197.136.167:1111
Unpacked files
SH256 hash:
080cb749aed25eddbd3dfa1e1e2c3f9d87a76e95300c3098d42f19f8689970db
MD5 hash:
2b11393bb7fa9f282d33f49fcb730ab8
SHA1 hash:
fdc5d2342e72ad5e8f289ff11ed14d1086361df4
Link:
https://www.unpac.me/results/6e2ca0a5-6251-4ee5-bdc8-9acf51cca482/
SH256 hash:
668154744070b941e9d86cba8b61a5e39e00170ea23d3ddff28f2542bb1cd6f1
MD5 hash:
7f140bafc7aa62d04c36daa6342f56fb
SHA1 hash:
5d662b20b63439814cd79c87b17d49e1c7c53c5d
Link:
https://www.unpac.me/results/6e2ca0a5-6251-4ee5-bdc8-9acf51cca482/
SH256 hash:
733f90eff112709ebc5c76c47c99e0f4b2fdc2270fa174925e1206a197becdfd
MD5 hash:
7ee48ebe505ba8195a0efdea08b74d11
SHA1 hash:
0c72244637ad2cccb7c0f1c8aaa35526486b353f
Detections:
win_asyncrat_w0
Create hunting rule
AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/6e2ca0a5-6251-4ee5-bdc8-9acf51cca482/
SH256 hash:
dbd1aee9db73f9872ead7cb2882650da91fe460627c1065b6edf79a21d1ed8df
MD5 hash:
c5dd832061271cefaac78c3bb60977af
SHA1 hash:
f90f7a317da17e2be914d877f8fbe0f2d99d5807
Link:
https://www.unpac.me/results/6e2ca0a5-6251-4ee5-bdc8-9acf51cca482/
SH256 hash:
d295beef55b18590b7b8c6c0b1cd06580ff58fee609514de127061a3cc5e3444
MD5 hash:
368d52317d4fbea5104a99bee871aed7
SHA1 hash:
7be04ca2b719721ae4c34d54206303f0d4ee309c
Link:
https://www.unpac.me/results/6e2ca0a5-6251-4ee5-bdc8-9acf51cca482/
SH256 hash:
2ef7241b96d2307928f42ff106d844ae0dfb975ff226a2d8d01ea41310b532ae
MD5 hash:
439eb14f0f1c7d8f7fd5e698c551517f
SHA1 hash:
1864d791382a70d9b2d60327aee3775b4d60b55e
Link:
https://www.unpac.me/results/6e2ca0a5-6251-4ee5-bdc8-9acf51cca482/
SH256 hash:
cf9821c4c08a6d62cbe17ebc6c0d6ea40336c145e8e9369fe76505e1d3dc8674
MD5 hash:
30d6dbbf3251ef47c856e64254ee5601
SHA1 hash:
abdffd40fa438146bf70c6a217ac1b5b6180c5db
Link:
https://www.unpac.me/results/6e2ca0a5-6251-4ee5-bdc8-9acf51cca482/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf9821c4c08a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf9821c4c08a6d62cbe17ebc6c0d6ea40336c145e8e9369fe76505e1d3dc8674

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284449/

Comments