MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2c6a57690440bb544bc9d083daf77fd62abe9b0c1840e89e44af5ffd9311e70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2c6a57690440bb544bc9d083daf77fd62abe9b0c1840e89e44af5ffd9311e70
SHA3-384 hash: d50ac1f2fa89424fb2f8246930423c45459f3ba96984c11737d9559c604b02135e06a8c10b4d1d7e2a898310508d2deb
SHA1 hash: 10ff440e48271a3c662250cbc30215dc78125fd3
MD5 hash: d75b7fc5268996284370b0059cb1f5c9
humanhash: mississippi-lake-gee-carpet
File name:Invoice_DDT N. 201 LGM47436.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:894'976 bytes
First seen:2022-01-21 16:24:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:sswM9oYdurZUvz63rl2H1H6g6P/NfYNJgyV46rpQcq6+i9vYFbbIBQViVq86Nn5e:sKdKZqkBMV6g6P9YX9rpQH6+i9vYFb
Threatray 14'274 similar samples on MalwareBazaar
TLSH T17C15089D325071EFC867C972CEA81C64EB61747A971BC207901311AEAE0DA97DF246F3
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221545/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
ftp.exe obfuscated packed remote.exe
Link:
https://www.filescan.io/uploads/61eade67d32385db631606cc/reports/d5fc1fc1-cede-4122-950d-0d75f1c8fb7a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d41a9a5-7cef-4c0f-a6bd-79150e174649
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925365
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557840 Sample: Invoice_DDT N. 201 LGM47436.exe Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 50 api.telegram.org 2->50 60 Found malware configuration 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 15 other signatures 2->66 8 Invoice_DDT N. 201 LGM47436.exe 7 2->8         started        12 YZtXgX.exe 4 2->12         started        14 YZtXgX.exe 2->14         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\wGtBfyBWoAPgx.exe, PE32 8->42 dropped 44 C:\...\wGtBfyBWoAPgx.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp5D72.tmp, XML 8->46 dropped 48 C:\...\Invoice_DDT N. 201 LGM47436.exe.log, ASCII 8->48 dropped 68 Adds a directory exclusion to Windows Defender 8->68 70 Injects a PE file into a foreign processes 8->70 16 Invoice_DDT N. 201 LGM47436.exe 17 5 8->16         started        20 powershell.exe 24 8->20         started        22 schtasks.exe 1 8->22         started        72 Multi AV Scanner detection for dropped file 12->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->74 76 Machine Learning detection for dropped file 12->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->78 24 powershell.exe 12->24         started        26 schtasks.exe 12->26         started        28 YZtXgX.exe 12->28         started        signatures6 process7 file8 38 C:\Users\user\AppData\Roaming\...\YZtXgX.exe, PE32 16->38 dropped 40 C:\Users\user\...\YZtXgX.exe:Zone.Identifier, ASCII 16->40 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->52 54 Tries to steal Mail credentials (via file / registry access) 16->54 56 Tries to harvest and steal ftp login credentials 16->56 58 2 other signatures 16->58 30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2c6a57690440bb544bc9d083daf77fd62abe9b0c1840e89e44af5ffd9311e70/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 16:22:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ldkk5uqiqf3krf4tued3l3x7vrkx2nqygca5cpejl277wjrdzya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0cabc6544bb554fc6900c766ade30bee9bd403f64231e87b65fc9182128d7515
AgentTesla
3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353
AgentTesla
4fcca1bce2dd80a24a9def40ab28cc5197e8dd477c2ef77c4d47a19b73fa8bf1
AgentTesla
6219cac062c9ce9f7b909b0e77068c0953711dab88c70015aea27e7c860a0e1e
AgentTesla
d2606cc6318b1e0c21de14cf79f8e06652e783e9239c84eec8bd2b0582ab6cd2
AgentTesla
e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0
AgentTesla
ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e
AgentTesla
efe702eff8b1684d9a92b1a5f24e1f375033dd124e588ee30cc778adc16d76f1
AgentTesla
+ 14'264 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220121-twypjsabg4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1641777799:AAHdp3u4L6fVtZntWVtNfV4UJrnCJ4wHmD4/sendDocument
Unpacked files
SH256 hash:
b204bf36a15d45fcac16a3c37ffd64e451d7073575268edc3345a2785bf26fc4
MD5 hash:
e9b674750323c40c856830b530e3b941
SHA1 hash:
7a82cba7d2ece4dad8d200179411cb069f73ade8
Link:
https://www.unpac.me/results/0fbd8ab2-92c1-44de-b694-f2c0f6dbacce/
SH256 hash:
247f74e7d7df959eb6cfae1f038091c3697ef27f5067381f005850723108521b
MD5 hash:
44561923202a122a99f9a7ecd31c8f82
SHA1 hash:
8521017b7ca78c129c5824cb13826d0da9e88069
Link:
https://www.unpac.me/results/0fbd8ab2-92c1-44de-b694-f2c0f6dbacce/
SH256 hash:
f2c6a57690440bb544bc9d083daf77fd62abe9b0c1840e89e44af5ffd9311e70
MD5 hash:
d75b7fc5268996284370b0059cb1f5c9
SHA1 hash:
10ff440e48271a3c662250cbc30215dc78125fd3
Link:
https://www.unpac.me/results/0fbd8ab2-92c1-44de-b694-f2c0f6dbacce/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f2c6a5769044/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2c6a57690440bb544bc9d083daf77fd62abe9b0c1840e89e44af5ffd9311e70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/221545/

Comments