MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f68067f9115e9ede57c73b7392912980129fd16b51f3f6550f8e086702b65eac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f68067f9115e9ede57c73b7392912980129fd16b51f3f6550f8e086702b65eac
SHA3-384 hash: a5784524fc5ea426c240a054eaee38efff1c39fb2a1f71d8483a845ef4f456cf03b74bef1f94ea2b55bdb2251e97de66
SHA1 hash: 260aa9c571789b7ddb78e5bb1cd3775bf3038b44
MD5 hash: b17445243117804a2a0b91906c6e0094
humanhash: uniform-king-early-oscar
File name:b17445243117804a2a0b91906c6e0094
Download: download sample
Signature AgentTesla
Create hunting rule
File size:722'944 bytes
First seen:2023-06-19 12:13:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:YqtYq7J3At5iHOq+ZQSOqZnH6LOsg+pPso4dBetvNfTc1LJP/a3Bk:YCYqtm8OqK9LqaIPs3dBsrc19Px
Threatray 2'977 similar samples on MalwareBazaar
TLSH T12BF41258782C8647D86A0BFC4AE43730133E5BA97E22EBC46CD3F0E8ADA5F921511757
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New PO 700218943-20119.doc
Verdict:
Malicious activity
Analysis date:
2023-06-19 11:32:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/590faa6e-60e2-49cf-8954-d20d6c548ab9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400438/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2121.6748.26577.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/6490468e10461c2d676a6b8a/reports/ccd7b0ba-19e5-4987-b918-6f6cf7163656/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f68067f9115e9ede57c73b7392912980129fd16b51f3f6550f8e086702b65eac
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cda1d315-1651-49b2-8cef-65064eb98dfe
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257376
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890392 Sample: GgS44EwCaF.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 7 GgS44EwCaF.exe 7 2->7         started        11 DOokILuuhICq.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\DOokILuuhICq.exe, PE32 7->31 dropped 33 C:\Users\...\DOokILuuhICq.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpD1C6.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...behaviorgraphgS44EwCaF.exe.log, ASCII 7->37 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 GgS44EwCaF.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 21 DOokILuuhICq.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 cutecycles.com 103.212.121.151, 49696, 49700, 587 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 13->39 41 mail.cutecycles.com 13->41 49 2 other IPs or domains 13->49 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 mail.cutecycles.com 21->43 45 104.237.62.211, 443, 49695 WEBNXUS United States 21->45 47 api.ipify.org 21->47 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->71 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f68067f9115e9ede57c73b7392912980129fd16b51f3f6550f8e086702b65eac/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 12:14:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62agp6irl2pn4v6hhnzzfejjqajj7ullkhz7mvipryegoavwl2wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
059d5f6ce17550f0aad80205593ff14cd81bcacf6e2b3bbc1cee716f9669aa64
AgentTesla
0ffb2f62c79661847214dbf0242b3ccb488782b9a06278a1b66244f9338f2525
AgentTesla
1c834a9e0b395b4544646c67f8a12972256500cbabb5b71a7433548e8b558920
AgentTesla
1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804
AgentTesla
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
AgentTesla
39893af7f960c76c20ab2b99e5caa2acabab3c7fc01e47791586f451eba5be5b
AgentTesla
3d0816e876a59f4e3b56bd2105122ef69499f79bab375b0956716494eb286dbd
AgentTesla
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
AgentTesla
c3706faf1e9a38c879ec449a50da90aafcae01787b0e56962519d3edac1d6b42
AgentTesla
e2a4e3661a1ba5c88dbfcb792f0d489b37f14f74f2d1b2111a278bc81fb930c7
AgentTesla
+ 2'967 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230619-pebfgadg47/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/9525b3eb-5317-47b2-b696-fa3a4b807c89/
SH256 hash:
88ecaed6a8e7da83e81bd4a539bdef6cae015e4c024e619c21793f0dfab91a99
MD5 hash:
4af87baf1f31c9edda652f3e7824955c
SHA1 hash:
d3afd3b193719abda128c87033acbf00945a5a9e
Link:
https://www.unpac.me/results/9525b3eb-5317-47b2-b696-fa3a4b807c89/
SH256 hash:
bf10a163a25c7180931538676ec36b1e02aef0dec059722d4809bbc7e49a46b1
MD5 hash:
867acc91f18876e1e1d23b7a35126014
SHA1 hash:
c864d5f89cc3f426652680d489fa6caf075efd56
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9525b3eb-5317-47b2-b696-fa3a4b807c89/
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/9525b3eb-5317-47b2-b696-fa3a4b807c89/
SH256 hash:
aaab9c16b02950b07e6adf848dccdc2fbf319ab7a4a7eef7339b77269e7da551
MD5 hash:
e7d18c69a15a8c54f38c1125cb1da5ea
SHA1 hash:
3bf63772eeff1b9c60346bdbc96b86b8143b0a86
Link:
https://www.unpac.me/results/9525b3eb-5317-47b2-b696-fa3a4b807c89/
SH256 hash:
f68067f9115e9ede57c73b7392912980129fd16b51f3f6550f8e086702b65eac
MD5 hash:
b17445243117804a2a0b91906c6e0094
SHA1 hash:
260aa9c571789b7ddb78e5bb1cd3775bf3038b44
Link:
https://www.unpac.me/results/9525b3eb-5317-47b2-b696-fa3a4b807c89/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f68067f9115e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f68067f9115e9ede57c73b7392912980129fd16b51f3f6550f8e086702b65eac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f68067f9115e9ede57c73b7392912980129fd16b51f3f6550f8e086702b65eac

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2666233/
Cape
Cape
https://www.capesandbox.com/analysis/400438/

Comments


Avatar
zbet commented on 2023-06-19 12:13:59 UTC

url : hxxps://sofancy.co.za/data/Bin%20(2).exe