MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eee3d9ebd63140043e5145d3659929829be5c1943521f8f783df47186811f9c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eee3d9ebd63140043e5145d3659929829be5c1943521f8f783df47186811f9c0
SHA3-384 hash: cfb63dc049b57fb6d0fd6c49032944343b80215c715d26335523ad6795fbdff0645f05d0242aaa5ecf9c3a9195b71b25
SHA1 hash: 6caef6db02bf48457b504e69b0a71449b90cd3b9
MD5 hash: 5e5812ce17dbc6f3e1ec335b7d165f63
humanhash: nineteen-pennsylvania-december-fifteen
File name:BTQ6074100.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:908'800 bytes
First seen:2022-06-13 13:16:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:jIqSBJqH22qla5w/yXbxFgXX3ymF31FpfUY4zIP5eRVIZfdw:02H0MW/IbxeXP3SIB02ZG
Threatray 18'941 similar samples on MalwareBazaar
TLSH T1D315F7AFAAC4C9DEDB08A675EB731E110305ADEC18DA533B6BCE3619C43A7641DF4610
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b0829c988c868070 (14 x AgentTesla, 4 x Formbook, 4 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://136.144.41.76/bray/inc/a4a9ffb236214a.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://136.144.41.76/bray/inc/a4a9ffb236214a.php https://threatfox.abuse.ch/ioc/697985/

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
BTQ6074100.exe
Verdict:
Malicious activity
Analysis date:
2022-06-13 22:25:45 UTC
Tags:
trojan rat agenttesla opendir stealer
Link:
https://app.any.run/tasks/ff5df259-9e0f-4b2a-bad1-07c391ebf65d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279423/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62a738d23c52ddca42d8ea2a/reports/fed1313f-2408-44e8-b911-cc78cfcd5412/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/edf47fc3-13d7-45ae-ab5d-7880df3aed42
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1012129
Signature
.NET source code contains potential unpacker
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 644626 Sample: BTQ6074100.exe Startdate: 13/06/2022 Architecture: WINDOWS Score: 100 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected AgentTesla 2->80 82 5 other signatures 2->82 7 BTQ6074100.exe 1 5 2->7         started        10 Lntmzemb.exe 2 2->10         started        13 Lntmzemb.exe 1 2->13         started        process3 file4 56 C:\Users\user\AppData\...\Lntmzemb.exe, PE32 7->56 dropped 58 C:\Users\...\Lntmzemb.exe:Zone.Identifier, ASCII 7->58 dropped 60 C:\Users\user\AppData\...\BTQ6074100.exe.log, ASCII 7->60 dropped 15 InstallUtil.exe 15 6 7->15         started        20 InstallUtil.exe 7->20         started        22 cmd.exe 1 7->22         started        24 powershell.exe 15 7->24         started        84 Multi AV Scanner detection for dropped file 10->84 86 Machine Learning detection for dropped file 10->86 26 cmd.exe 10->26         started        28 powershell.exe 14 10->28         started        32 2 other processes 10->32 30 cmd.exe 13->30         started        34 2 other processes 13->34 signatures5 process6 dnsIp7 62 136.144.41.76, 49803, 49860, 80 WORLDSTREAMNL Netherlands 15->62 54 C:\Windows\System32\drivers\etc\hosts, ASCII 15->54 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->64 66 Tries to steal Mail credentials (via file / registry access) 15->66 68 Tries to harvest and steal ftp login credentials 15->68 74 3 other signatures 15->74 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->72 36 conhost.exe 22->36         started        38 timeout.exe 1 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 timeout.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 timeout.exe 30->50         started        52 conhost.exe 34->52         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eee3d9ebd63140043e5145d3659929829be5c1943521f8f783df47186811f9c0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 13:17:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=53r5t26wgfaaipsrixjwlgjjqkn6lqmuguq7r54d35drq2ar7haa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
masslogger
Create hunting rule
Similar samples:
16dc7f82ad30da1bc6aaaf0832bef80524250e96998149e10e30e94ad4856bd3
AgentTesla
248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9
AgentTesla
3b35160a0221a2abd530bf26c039844ed986971c906fcb6e6feedb8978d076b8
AgentTesla
4ea32ccd68ea4437adbb5639bbbd2a0098107f16b851ac463a136ec5ecba796a
AgentTesla
86e679c0c0bcd5e79208afed4ec26fe6372943fa8e2ff519da34bfe7b0e72c26
AgentTesla
9bada767c10c932126025f285f82aa13cefe16334ddc888ffdacc68ea90ea2b0
AgentTesla
9d9cbc44c7dfafd9e5693f77c8847a4ac432153bff137abeef92f275d552c466
AgentTesla
a2136b933c4487133913d9138887fdca955bb78f9071842a958949112af5e67b
AgentTesla
+ 18'931 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220613-qjdbasgdbj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops file in Drivers directory
AgentTesla
suricata: ET MALWARE AgentTesla Communicating with CnC Server
Malware Config
C2 Extraction:
http://136.144.41.76/bray/inc/a4a9ffb236214a.php
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/e24eb1e1-b25b-43fa-bd2b-d41cc94528b1/
SH256 hash:
1d6acddbccd89b4b636a0a963ea68ad384728a3ff13d3dc781862a2ab681a6d2
MD5 hash:
9687210c911f83d3fd5187c324ea723e
SHA1 hash:
2146d2592f8a845384e7ecea0ea5b29fcf009c7a
Link:
https://www.unpac.me/results/e24eb1e1-b25b-43fa-bd2b-d41cc94528b1/
SH256 hash:
48f1a60d09dc0abf72dd41431a81df4d2952d42b248973931023b516718a502e
MD5 hash:
2862801ec5bedee1b6b47490219db9a0
SHA1 hash:
0fa21b02628361531334a95db99cb87a1c92be12
Link:
https://www.unpac.me/results/e24eb1e1-b25b-43fa-bd2b-d41cc94528b1/
SH256 hash:
eee3d9ebd63140043e5145d3659929829be5c1943521f8f783df47186811f9c0
MD5 hash:
5e5812ce17dbc6f3e1ec335b7d165f63
SHA1 hash:
6caef6db02bf48457b504e69b0a71449b90cd3b9
Link:
https://www.unpac.me/results/e24eb1e1-b25b-43fa-bd2b-d41cc94528b1/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eee3d9ebd631/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eee3d9ebd63140043e5145d3659929829be5c1943521f8f783df47186811f9c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279423/

Comments