MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1
SHA3-384 hash: 65f8631409fe455de827cb5831bdf3625960b1de2ee8c9d9bc7dfcb3110bbe0413bc82703d2ad016535432078568a849
SHA1 hash: d6cdd503fa6050f281b3e0f8da85da72978728c6
MD5 hash: 1f527b6ee13b61c7f651ba949fae47af
humanhash: montana-shade-zebra-lion
File name:transfer slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:791'040 bytes
First seen:2023-05-10 12:51:20 UTC
Last seen:2023-05-13 22:58:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:rNZfTnkmnq0TllyRO7ct9ALCt2qk81EHinaa8QVv5pDrb4GblgJKC4evA98iH:rPLnDqWlJcs2tot7a8AJAmCE8i
Threatray 1'047 similar samples on MalwareBazaar
TLSH T1CDF4E121322A9B2BC7A853FE0A28454513B47716FC1BD23C2EDF21CDDD62F114A65EA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
270
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
transfer slip.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 12:52:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81e38a9c-3eee-4f20-9803-5b9e09e57afb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388187/
Detection(s):
SecuriteInfo.com.Variant.Lazy.338474.9426.15730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645b9373ca21d4c52e1ba924/reports/806f22c8-09e9-4aee-ab64-d8c63711d785/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/327cea81-1cb3-43d8-8bb2-4b17deb3bc4d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1230041
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 863032 Sample: transfer_slip.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 7 transfer_slip.exe 6 2->7         started        11 jqQJqfl.exe 5 2->11         started        process3 dnsIp4 34 C:\Users\user\AppData\Roaming\jqQJqfl.exe, PE32 7->34 dropped 36 C:\Users\user\...\jqQJqfl.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp371E.tmp, XML 7->38 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->62 64 May check the online IP address of the machine 7->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 7->66 68 Adds a directory exclusion to Windows Defender 7->68 14 transfer_slip.exe 15 2 7->14         started        18 powershell.exe 19 7->18         started        20 schtasks.exe 1 7->20         started        22 transfer_slip.exe 7->22         started        40 192.168.2.1 unknown unknown 11->40 70 Multi AV Scanner detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 74 Injects a PE file into a foreign processes 11->74 24 jqQJqfl.exe 11->24         started        26 schtasks.exe 11->26         started        file5 signatures6 process7 dnsIp8 42 whitemnlabs.com 192.3.204.194, 49701, 49705, 587 SERVER-MANIACA United States 14->42 44 mail.whitemnlabs.com 14->44 52 2 other IPs or domains 14->52 76 Installs a global keyboard hook 14->76 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        46 mail.whitemnlabs.com 24->46 48 104.237.62.211, 443, 49704 WEBNXUS United States 24->48 50 api.ipify.org 24->50 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 32 conhost.exe 26->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 10:05:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42ecl72b3ixjhqnwf7bwlcbzrnc37eaujgugobtoys4kwz52x6qq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
AgentTesla
3706066f775904b6ac4d07b179d3f7846c15c085ddeff5633c72a555d9529748
AgentTesla
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
AgentTesla
847e04095e646bc56458e498de0e8741d873b777567a0372b59d27d4f1d3b625
AgentTesla
a4b5f7aed3df1aaffcac4423faf222b78da209a22d2f6bd74cdf46d2b1498670
AgentTesla
bb2672735b9660902bf39ac41917389096203c4586d4460b59cb3737bf8e2814
AgentTesla
e44e1135888701ba8cbf462efa9d992a2fa1f83e52c471f65c62c16fdecade26
AgentTesla
fd6a88c61e8b5b68f3f70d8aab48dabdfc21d96d81f823647d310ccbe1fd968a
AgentTesla
fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf
AgentTesla
fee8b0a5bd69e9ca4d343dbf309b19ecc9a510dc26f7d84d1095fbb494763a99
AgentTesla
+ 1'037 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230510-p32ybsga84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7edd2f1fa60a4e5ad21716da485b9b318d49289eb6f3e4ace50cad3ed2cbc03f
MD5 hash:
0ad79255aa12f732d4d560d46e149c0d
SHA1 hash:
e0d50e4c6a32a8754e51400a6bcd06fc4c979b54
Link:
https://www.unpac.me/results/e866d98f-d295-4a53-b53b-2569abc2a04e/
SH256 hash:
bd8f7dfde6dd7a119c16575910e68418e24a1df6eb563c070c4c756d2ca3c620
MD5 hash:
d13c27165735ac6b13f3d5870025dfb1
SHA1 hash:
c17049f590332fe7680333d1be5374319d5e5131
Link:
https://www.unpac.me/results/e866d98f-d295-4a53-b53b-2569abc2a04e/
SH256 hash:
83f0f18e12491f70c0934fdd012184cd630d2baf2c667cc758a4129e7111909d
MD5 hash:
cd875997aecffecc13f379efe5c3c83e
SHA1 hash:
7a439ebaec3b468f20e280860aee5b83cc796c98
Link:
https://www.unpac.me/results/e866d98f-d295-4a53-b53b-2569abc2a04e/
SH256 hash:
4fb13301dd7a3f62e7a1ab881c0049a4a6c6ff65c299afbda63c577cb9ca471a
MD5 hash:
61b4f3b38d24b9402183daf17c880ee2
SHA1 hash:
4e2b5402192f9d9c914c90f04c065183550e9339
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e866d98f-d295-4a53-b53b-2569abc2a04e/
Parent samples :
fa06c367eea3dc7496e8b8c3baf34ed7775518d1b779d041f41b0a4b92d4a922
e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1
SH256 hash:
d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218
MD5 hash:
e5d93dadd08b8bc727e4f4853c6881ba
SHA1 hash:
27e0e057d33f01586193b0cbf06561c2863951f4
Link:
https://www.unpac.me/results/e866d98f-d295-4a53-b53b-2569abc2a04e/
SH256 hash:
e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1
MD5 hash:
1f527b6ee13b61c7f651ba949fae47af
SHA1 hash:
d6cdd503fa6050f281b3e0f8da85da72978728c6
Link:
https://www.unpac.me/results/e866d98f-d295-4a53-b53b-2569abc2a04e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e68825ff41da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 69852a2daaa5905508bc02a55ff3d9e5fcadc38c438f7a38ba289371ffb73d48

AgentTesla

Executable exe e68825ff41da2e93c1b62fc36588398b45bf901449a867066ec4b8ab67babfa1

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388187/
  
Dropped by
SHA256 69852a2daaa5905508bc02a55ff3d9e5fcadc38c438f7a38ba289371ffb73d48
  
Dropped by
MD5 760dbb2a566ff8c2cab0c066929ca164

Comments