MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
SHA3-384 hash: 9a2b824b8c12354807b9438943cdac0d49cfd498fcf10820ddd4a53e582554f7b63654568aa724772a0be093cd987905
SHA1 hash: 62b9431d9c1dae26d8f85bc2beb000d245f048bc
MD5 hash: 4f2c3e174d8284d5db4c7b2c8958738a
humanhash: apart-salami-zulu-aspen
File name:SecuriteInfo.com.Win32.PWSX-gen.13127.3201
Download: download sample
Signature AgentTesla
Create hunting rule
File size:793'600 bytes
First seen:2023-01-09 09:36:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:pAcAYc7DPjzU9XBICKjyS0cnh5xe/Nx4ksDzmUSkMvmmFmi8:aSc7D3sf80cbxe/NhmzEkMv
Threatray 25'271 similar samples on MalwareBazaar
TLSH T146F4CF0F751CA75FCD5A8EB2FC75087046A0AF535605E64EB8C7EDED09A970E8A022D3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.13127.3201
Verdict:
Malicious activity
Analysis date:
2023-01-09 09:37:07 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/db431628-59b9-4f31-b8a8-5b82c05b894c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351044/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13127.3201.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63bbe03fa66e2eb29737fffe/reports/f611dee9-33d2-42ab-a18b-b9d4316d7f5d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6997c8de-505c-4898-8633-80380b371798
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1147862
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780594 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 09/01/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 6 other signatures 2->47 7 SecuriteInfo.com.Win32.PWSX-gen.13127.3201.exe 7 2->7         started        11 byyJgq.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\byyJgq.exe, PE32 7->31 dropped 33 C:\Users\user\...\byyJgq.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpEB33.tmp, XML 7->35 dropped 37 SecuriteInfo.com.W....13127.3201.exe.log, ASCII 7->37 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Contains functionality to register a low level keyboard hook 7->53 61 2 other signatures 7->61 13 SecuriteInfo.com.Win32.PWSX-gen.13127.3201.exe 3 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 21 byyJgq.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 mail.richenqtex.me 162.0.229.41, 49705, 49711, 587 NAMECHEAP-NETUS Canada 13->39 63 Installs a global keyboard hook 13->63 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->65 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-09 09:37:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yfqqqkedyyprrrbvz2nqlfo3bfhees2r7xym2ihdrkgc72m4dyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f327479e5d13cccaa537642b85eb992ee39223086960d518105cf1daec78ddc
AgentTesla
1038c10cdf14d50b7bf14e8d6b0c2eb9c8849837ff19ac03e79ad16ffc2c2143
AgentTesla
2b924314517e86bfece5ecc1e2a6386ac415c9db078a48e7e974a08a8c6255ed
AgentTesla
30e9a12678d0f48ab2e58c4c676d7bf56351025550275913bfaa491b0382be2a
AgentTesla
37b0b6c8e886ba54facc53bea8f5d11ea52bb2ad186ef496bac773ba989b9e89
AgentTesla
5a0893d2100052e465b5329bc5ab00bad025469b279ef9fe1ab6a4643b5e8a5e
AgentTesla
72583f44847a7163594df6713b246140478f41f50448f9d8585ebfde2d4b3ca0
AgentTesla
8082a20f738274d2db56e6e1ed07d2ba7b4fb84af6f6a2ed867090c1d8465523
AgentTesla
+ 25'261 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230109-llgdhshc2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52340482-f18a-47e9-b554-c19c1c2b0b7a
Unpacked files
SH256 hash:
37719a0c057b9df57621958c193290a09a0e549653ef3ef4f061180ab2b61114
MD5 hash:
c4c3ee8e0be595fff87db28bd75de473
SHA1 hash:
e8a40acc0c2d1ec4caf823401e077d350f4c1c50
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ea415ac0-6401-4c63-8eab-2e9b3a1281b4/
Parent samples :
cb5a09fbb8c760f829a4b474f381b32a3ae68ec6e82c6b3d2fd8d2ef38b40d61
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
594da3885ba6766852371e812ae655b7422f6dbf76c2671ca887bbae0b07a553
SH256 hash:
1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6
MD5 hash:
b2d0625c46714e40a6a38238659ea9ed
SHA1 hash:
dc43d5d539eab67b7e3109d0e4894e099a1a18f8
Link:
https://www.unpac.me/results/ea415ac0-6401-4c63-8eab-2e9b3a1281b4/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/ea415ac0-6401-4c63-8eab-2e9b3a1281b4/
SH256 hash:
9f210313007f19c82f625e83db860764a70e4a4de5a715ba0d6fececac8ea5ed
MD5 hash:
5218a34c61e246dd8b36a3d5d57a4208
SHA1 hash:
4b5a182cd9938e0a5f63c7609ec75f494b90884d
Link:
https://www.unpac.me/results/ea415ac0-6401-4c63-8eab-2e9b3a1281b4/
SH256 hash:
6f65db52257e21161b97360c5d2d523c5e58a7b209bd2c6f79e3fb1c58b3d5e6
MD5 hash:
97980165f27a68a08bfeecbb60f1aedf
SHA1 hash:
3f8e3a2b6dece9db88313140e375cf9fad6f7e9d
Link:
https://www.unpac.me/results/ea415ac0-6401-4c63-8eab-2e9b3a1281b4/
SH256 hash:
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
MD5 hash:
4f2c3e174d8284d5db4c7b2c8958738a
SHA1 hash:
62b9431d9c1dae26d8f85bc2beb000d245f048bc
Link:
https://www.unpac.me/results/ea415ac0-6401-4c63-8eab-2e9b3a1281b4/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d60b0841441e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351044/

Comments