MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6571f062d5171a70f5750fa082728fe3407c7ed8e8562913c1ff66437b569ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	d6571f062d5171a70f5750fa082728fe3407c7ed8e8562913c1ff66437b569ae
SHA3-384 hash:	27d09c16f7a3f7c77e3ffbe16751d790fbef3c15884f2401ce5986cd080c8592390e5d762bf5d66d2397ba8ec6047ed9
SHA1 hash:	77513cf59d1df7f151c5aa3aefbbb2ee11e0151c
MD5 hash:	c146bd4b23c8fbd8d1888aabc0dcdbf8
humanhash:	delta-asparagus-triple-white
File name:	EITA Contact List - February 2023.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'108'480 bytes
First seen:	2023-02-28 07:46:30 UTC
Last seen:	2023-03-06 08:30:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:owk16dKvPklMS5iC0NA2wLXTe32CLu9I/Fsq4:Pkc40lP0NAPXT7CLu9yO
Threatray	1'140 similar samples on MalwareBazaar
TLSH	T1FA357B8032F9C155EDCF323D091C56CE7D79B207A252B22AAA7676D6A3077F772C8091
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	0xToxin
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

EITA Contact List - February 2023.exe

Verdict:

Malicious activity

Analysis date:

2023-02-28 07:50:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7620b5af-51ee-47b6-bb83-3b169e2d8f99

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370534/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230227-2236.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63fdb17a0e8ce4beca256ead/reports/1d3ce41d-9566-42db-be3e-84cbccd8bd80/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d6571f062d5171a70f5750fa082728fe3407c7ed8e8562913c1ff66437b569ae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f3f01548-d45c-41c5-9f31-b306c241b173

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1183989

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d6571f062d5171a70f5750fa082728fe3407c7ed8e8562913c1ff66437b569ae/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-02-27 16:21:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2zlr6brnkfy2od2xkd5aqjzi7y2apr7nr2cwfej4d73gin5vngxa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

216509ca0f82c10daa1b7ea155f150766effa1270b1cc4d946f7b6d26851f092

AgentTesla

24055d43a09021ce0a445076e9b729b335a726937080337752854f2883103f67

AgentTesla

71d07c6a2d2c936d68d34be26e8db95e47a616d30521f128feb2e79fbbaff469

AgentTesla

7870fc0f2fdeb1a6d5c5a713da63a813078d07e49d55adb031cc6bbda41ea9a0

AgentTesla

ba278e9a224009e14aa8b65a174afa76cd51e9a6fcfcf501d715abb7270d505c

AgentTesla

cd007e27773f87ed822f914b60667b5639f369e0cc1f533b6f8593589efdb337

AgentTesla

f1108b5eb80973aef37bd03b02d776a3bd44d9ec9425da749e4c8b22c0c16c67

AgentTesla

f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775

AgentTesla

+ 1'130 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230228-jmjh6aab95/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

75f7836fbb331b386fc9f0d5694046610dba28b1b8da460dc17e4d7226ab76bb

MD5 hash:

63b3df8f95a1984ef72b739ee4728b08

SHA1 hash:

b78d47a3d02aee38c658b153fd41636d718035c2

Link:

https://www.unpac.me/results/36dcac5d-21e6-4b0f-b0d2-a5434d5d336f/

SH256 hash:

2d609d51baccc33f53314c8d7072bfec7d1f5cc899086845b87864af763b051d

MD5 hash:

a75d4da1f53b73be428bc107dfd3048b

SHA1 hash:

6a76898df0df5ab221311cf75211db677da3792f

Link:

https://www.unpac.me/results/36dcac5d-21e6-4b0f-b0d2-a5434d5d336f/

SH256 hash:

93e8f939cfd0f8d65a050ffe3394d3303f10bffd630616272e7dda27dac1a6d7

MD5 hash:

6461a0bbe4d114db838711c948c9c70c

SHA1 hash:

4938589d9917ef8ee1fb6259318fe6ed7649d156

Link:

https://www.unpac.me/results/36dcac5d-21e6-4b0f-b0d2-a5434d5d336f/

SH256 hash:

8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c

MD5 hash:

e5b073b30db1b058298f5df032164e4d

SHA1 hash:

15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca

Link:

https://www.unpac.me/results/36dcac5d-21e6-4b0f-b0d2-a5434d5d336f/

SH256 hash:

219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38

MD5 hash:

88dd74207f3882979e21e26bf33a0e9c

SHA1 hash:

02a2db1bcbdb700f16c730a45d6ca62f805af8d4

Link:

https://www.unpac.me/results/36dcac5d-21e6-4b0f-b0d2-a5434d5d336f/

SH256 hash:

d6571f062d5171a70f5750fa082728fe3407c7ed8e8562913c1ff66437b569ae

MD5 hash:

c146bd4b23c8fbd8d1888aabc0dcdbf8

SHA1 hash:

77513cf59d1df7f151c5aa3aefbbb2ee11e0151c

Link:

https://www.unpac.me/results/36dcac5d-21e6-4b0f-b0d2-a5434d5d336f/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d6571f062d51/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/d6571f062d5171a70f5750fa082728fe3407c7ed8e8562913c1ff66437b569ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.