MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f
SHA3-384 hash: 569c5b867b505b85eaabdb77772e255a52c9dc176d6c17e733cb30f2b61c74cf4107c64e540eb95d045bfc10b6b01635
SHA1 hash: f593194eeac1f4bf212f4b3a162c4f563ea0383c
MD5 hash: e836bcf7c512b94bc2d7c5cf86bdc9a7
humanhash: harry-five-rugby-shade
File name:e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:727'552 bytes
First seen:2023-10-12 10:29:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QfgsT57Ly2ueljZtOHO3XYAbcZqzT3NAji2BnlY:QfVn5KOHiIPdAzO
Threatray 332 similar samples on MalwareBazaar
TLSH T121F43A4526D81719F47EABF1C3B40308D7FAFD5BD736E55EBC8501DA0A61E00CAA2B26
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f
Verdict:
Malicious activity
Analysis date:
2023-10-12 10:32:32 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/fadac100-8878-41d9-a4e4-615a9330e73c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453750/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61454.19153.3932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6527caac28455aedec103751/reports/da54063e-ccfe-4676-a0e4-cb47358aae68/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e86d95bd-8814-44f3-bc1a-32e773cf3a90
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324575
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324575 Sample: ia2cJub3HM.exe Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 32 strictfacilityservices.com 2->32 34 mail.strictfacilityservices.com 2->34 36 2 other IPs or domains 2->36 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 11 other signatures 2->48 8 ia2cJub3HM.exe 6 2->8         started        12 LNektbXJE.exe 5 2->12         started        signatures3 process4 file5 28 C:\Users\user\AppData\Roaming\LNektbXJE.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmp27E9.tmp, XML 8->30 dropped 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->50 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->52 54 Uses schtasks.exe or at.exe to add and modify task schedules 8->54 14 ia2cJub3HM.exe 15 2 8->14         started        18 schtasks.exe 1 8->18         started        56 Multi AV Scanner detection for dropped file 12->56 58 Machine Learning detection for dropped file 12->58 60 Injects a PE file into a foreign processes 12->60 20 LNektbXJE.exe 14 2 12->20         started        22 schtasks.exe 1 12->22         started        signatures6 process7 dnsIp8 38 strictfacilityservices.com 111.118.212.38, 49743, 49746, 587 PUBLIC-DOMAIN-REGISTRYUS India 14->38 40 api4.ipify.org 104.237.62.212, 443, 49742, 49745 WEBNXUS United States 14->40 24 conhost.exe 18->24         started        62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->62 64 Tries to steal Mail credentials (via file / registry access) 20->64 66 Tries to harvest and steal browser information (history, passwords, etc) 20->66 26 conhost.exe 22->26         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-28 06:04:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=43bxeeprmx2hykolka43jqurfnjduncg2brkfn6nbrodyuqqlb7q._file
Verdict:
malicious
Similar samples:
1f22495e0f459d46c901746a490c146552173cb83d629bdb694f5961c09be657
AgentTesla
43b81d0ca2373e9f8746005bff03564656b711c3a0d9e81a632f703a420e1cd6
AgentTesla
5ad0285de999973d1a665bcfe5d7040494f64c113d8ef8664d3bda3ae66b8d67
AgentTesla
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b
AgentTesla
8438ac5745f37292a9c36993ae4ff00fb3f3e52abd075d2efb0e3581ce1b8e94
AgentTesla
ac9a2aedb6a7a14dfa233489e17f6efc4ddd9cd6c12c46a10fa193fc578430f0
AgentTesla
b3c98a624e7fe69823ba0d02dbadf37fcb5d38cea33e35d6f1546e07507ccd69
AgentTesla
c22334a30489c310ccebd2eb69b289bf3f01461a72a4da146a59cdaa06283e04
AgentTesla
f679e4d7e9309d91bda6ee6f61d792c784c7e3367184775c1bfdc5010f6d7a15
AgentTesla
+ 322 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231012-mjtfqsfb73/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c00bfc6ef8809499f51b517cd65d89af063d5f4e72e84ab1461554cda59f912c
MD5 hash:
d147797f6b77ca5010584899e6102ee7
SHA1 hash:
bf1765ebfbf2305c744b8e2fd6312524f41b367d
Link:
https://www.unpac.me/results/38b5500e-bae7-46ff-ac3f-6a8741f1d330/
SH256 hash:
1fb8730bb4ff9b04077d1a38852e7a5f7da7eaf269eb7f353b710a9a26c68c67
MD5 hash:
cd31b95d6bb77db88a6cf6f2ef574126
SHA1 hash:
b0d135a8b4b26521235f035f8cd6845994fda768
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/38b5500e-bae7-46ff-ac3f-6a8741f1d330/
Parent samples :
14b47b7daa92d367e8169a57efd8b0f56aab2a7c3377e2feac3fdb4f9611df33
e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f
SH256 hash:
0b4c93addb0071e4cc368bc5e46a535e2eafd360b5db8b6c87620d7225eade2d
MD5 hash:
e17d9bb18c1bf12de8c75fa570f4cf72
SHA1 hash:
97751a31524557387d136e0e42e204186d00b5dd
Link:
https://www.unpac.me/results/38b5500e-bae7-46ff-ac3f-6a8741f1d330/
SH256 hash:
e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f
MD5 hash:
e836bcf7c512b94bc2d7c5cf86bdc9a7
SHA1 hash:
f593194eeac1f4bf212f4b3a162c4f563ea0383c
Link:
https://www.unpac.me/results/38b5500e-bae7-46ff-ac3f-6a8741f1d330/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6c37211f165/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6c37211f165f47c29cb5039b4c2912b523a3446d062a2b7cd0c5c3c5210587f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/453750/

Comments