MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf63ee51b700ba7c3628b5bc5696e922268abae30541e601a9045eef56253d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 9 File information Comments

SHA256 hash:	ecf63ee51b700ba7c3628b5bc5696e922268abae30541e601a9045eef56253d6
SHA3-384 hash:	f5a882a1a9ff6b6d6e84fc025594c5c5e5d8cdb2b8a4a5ddd83284a40c54e719043bccf83e2317a44273a5bb033a2c24
SHA1 hash:	2d34a15e0a3fda53d36fdab382ef67aa70c0939e
MD5 hash:	fee7a286ab4d7c19818ed3f43f6bfad7
humanhash:	apart-carolina-golf-diet
File name:	Compra Order_96857657689-Generaut®_____________________________________.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'176'320 bytes
First seen:	2023-09-21 13:11:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	275c1ac8a0a90e452d90c6b023f705b9 (6 x MysticStealer, 4 x RedLineStealer, 1 x AgentTesla)
ssdeep	24576:xV2dAvYvLBwvdVSIY25Vtk8r+kJe4HtUd6U0i+XH:BYvLBwvdDXtk8akJe4QsH
Threatray	5'856 similar samples on MalwareBazaar
TLSH	T1A8453A21F8B691B2ECE211774EFCF566D19DACE40BD740C70A981FED82945C0AE3A9D1
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Compra Order_96857657689-Generaut®_____________________________________.exe

Verdict:

Malicious activity

Analysis date:

2023-09-21 13:12:48 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/a6c56d1d-c2e3-41d5-97ca-f79bc782d4d7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/450364/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.17314.6850.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Delayed writing of the file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin masquerade overlay packed

Link:

https://www.filescan.io/uploads/650c41234a9bd894f5992be5/reports/d52d899d-f78c-48b5-952f-640193b28e43/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ecf63ee51b700ba7c3628b5bc5696e922268abae30541e601a9045eef56253d6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/823b25bf-7c50-4623-9750-4082aef9422c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1312286

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ecf63ee51b700ba7c3628b5bc5696e922268abae30541e601a9045eef56253d6/

Threat name:

Win32.Trojan.GenSteal

Status:

Malicious

First seen:

2023-09-20 14:32:47 UTC

File Type:

PE (Exe)

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5t3d5zi3oaf2pq3crnn4k2losirgrk5ogbkb4ya2sbc655lckpla._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

472a9c45d7a1ebb0163b1af93c1aea24f2247c17575752d5fede523b97713ed7

AgentTesla

492072d033edf6ed617f46060b250de50deac9027c35fa8ed07318d594a30d7c

AgentTesla

555ee22eb8c059f1e759ebedd1dc4c0012631f6befc0dca42e728fac6cd95ee6

AgentTesla

7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73

AgentTesla

85ed7537a9df0d4e71c4332fed869ee285a6fe9ebd9bf34691234ab425c4922b

AgentTesla

9eabfeb817fb350056d1647712b7ab45a06de6182c321729dce2529870989242

AgentTesla

a87a42e90b9d980accdbb4d57448856ac8d2d04eb890fcba9d7dafb3cfb66cdd

AgentTesla

aa57952b8faccbc8d18c1a1614d31dc540ca51980b5290aeb3371c521827b77b

AgentTesla

b28546dc6fd49007ebf76ad4b5225ffd8096240801fab6afaa18b3cc3cd9444e

AgentTesla

+ 5'846 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230921-qfhfvaab46/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6055753820:AAElL5-V9Lgpd2eUC9on2Nru4ci8Ix7wkx8/

Unpacked files

SH256 hash:

e59ef5b239017b59d064557075b2c0be4abb4e73e98ca047a1f8dad2e422ebe6

MD5 hash:

6311df7f146332d76ef6ad582a870457

SHA1 hash:

9ddf16c9ad87d3dc6cb675dfc67b77d5e9f4b28d

Link:

https://www.unpac.me/results/3df4cd7b-42b1-4fc8-846a-d6a009676b9a/

SH256 hash:

ecf63ee51b700ba7c3628b5bc5696e922268abae30541e601a9045eef56253d6

MD5 hash:

fee7a286ab4d7c19818ed3f43f6bfad7

SHA1 hash:

2d34a15e0a3fda53d36fdab382ef67aa70c0939e

Link:

https://www.unpac.me/results/3df4cd7b-42b1-4fc8-846a-d6a009676b9a/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ecf63ee51b70/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/ecf63ee51b700ba7c3628b5bc5696e922268abae30541e601a9045eef56253d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/450364/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample