MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614
SHA3-384 hash: c73f6842da376002ee48523bd7f0aeb92860853150ee605e6b2a457ad1eba74a1dff7c9bc3aaeed8f7c5d2d2f44099e2
SHA1 hash: 06359eb4062384660c06f01280bc9e025e46296f
MD5 hash: a07e70b0b57df15c5a04d93da1de3f2b
humanhash: london-arizona-delaware-echo
File name:SecuriteInfo.com.Win32.Evo-gen.24813.27582
Download: download sample
Signature AgentTesla
Create hunting rule
File size:5'188'096 bytes
First seen:2024-08-04 19:51:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:ZXMxH6Fgv0E1olTMIpKF2MwjVLaDJIfiuvBvh2PEIdEHjvaQj2EtWU:6xHlj1UJbxaDJWNwPd0v
Threatray 49 similar samples on MalwareBazaar
TLSH T13C3622063689D5ADC27BD97C82D6E5AC7EA66D225FD2C5362CC235F844F0786B408F0B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon b1e0c6b696d4f031 (3 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.Evo-gen.24813.27582
Verdict:
Malicious activity
Analysis date:
2024-08-04 19:57:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/681edead-1957-4494-ba5e-096d64d358e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66afdbeeb7a04efc7439e0ba
Tags:
Generic Stealth Msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66afdbe799ea8891b190be6a/reports/564036ad-8294-4f6d-9823-e4d1978285b7/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1948351a-e4af-4836-905d-60fd5d29ac0e
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1487641
Signature
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614/
Threat name:
Win32.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2024-06-26 06:28:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nvaajngxgrfkqtqdezgykcuagj4adlhdzysarzzco74rbsquyka._file
Verdict:
malicious
Similar samples:
2b6c6b7a7b4ea5723a15a92ce376e7818f7ab58f4dc5944275932440bf4e2b09
AgentTesla
c72cce50564c666c535d1dde59af8e380ad592d0f9a221f005e736d33133e984
AgentTesla
db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614
AgentTesla
e12353f4d5f68aea92424cf34972738128fc010fe4fe3072d7098f9a299ed559
AgentTesla
f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780
AgentTesla
+ 39 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240804-yldzlsthrq/
Behaviour
Enumerates system info in registry
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
AgentTesla payload
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/da47d769-3c85-454b-bc65-dadb0b97de5c
Unpacked files
SH256 hash:
8d404f728cd98b3e112631e67493b29b1e5dcf2e866bda6eac96efc637a6a763
MD5 hash:
76684a032a4af541df0ef8886543cea5
SHA1 hash:
865772956d9e6dc7c8e645b5c178f064a24a3592
Link:
https://www.unpac.me/results/19374f73-972c-47f4-8adb-77bd1ff072d6/
SH256 hash:
d16cde59f82ca7873da3cbc6ed85861c50d38faa8a2ca9d518c1113183d35d7f
MD5 hash:
20d48592d999dcbcd441531652f26786
SHA1 hash:
56d7bcd2bfba3b64b0febb17dc09fe44b8669f3b
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/19374f73-972c-47f4-8adb-77bd1ff072d6/
SH256 hash:
c93c0b2624351c062e6ef851bdcf51f8971b26cfef7a939b701611ee6b52e12f
MD5 hash:
2906bd21e41afb31faacd69a11f6f16c
SHA1 hash:
249ec943161d8bf57a749f7691409bbbcd01312a
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/19374f73-972c-47f4-8adb-77bd1ff072d6/
Parent samples :
2b6c6b7a7b4ea5723a15a92ce376e7818f7ab58f4dc5944275932440bf4e2b09
db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614
0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
SH256 hash:
db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614
MD5 hash:
a07e70b0b57df15c5a04d93da1de3f2b
SHA1 hash:
06359eb4062384660c06f01280bc9e025e46296f
Link:
https://www.unpac.me/results/19374f73-972c-47f4-8adb-77bd1ff072d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments