MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6cb1d3d7f8d28a30f739557742cc8dcbb3589238352a8b2fde5800f212374d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6cb1d3d7f8d28a30f739557742cc8dcbb3589238352a8b2fde5800f212374d5
SHA3-384 hash: 1fdcafde557a69a94f9625f8f32a386160bb64e9201013312bfa872df195821514f0bfebd3670041b27ee8b915ba2c65
SHA1 hash: 1fc7d5352fda05a90505b7459d494ff7038775d1
MD5 hash: d610604cb319a7d5e184eaba2c1452d1
humanhash: indigo-west-violet-don
File name:363IN050790620BOOKING.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'000'960 bytes
First seen:2021-06-02 05:56:17 UTC
Last seen:2021-06-02 07:00:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:lcQLs4eEqwW8iA6l/DtmbGNofZKwiA8KGlfVg/6DB7lxR:lcDbsGNoGA8Ng4hB
Threatray 5'484 similar samples on MalwareBazaar
TLSH DA258DF4F198AAF4D02DD731C2909CAED7A255FE5303CA1C1DA9DACC1A43B8ADF99404
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
363IN050790620BOOKING.exe
Verdict:
No threats detected
Analysis date:
2021-06-02 05:59:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f4ace0b-1c44-4e53-8045-846e3b4b46ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163922/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.793.6555.10172.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795633
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f6cb1d3d7f8d28a30f739557742cc8dcbb3589238352a8b2fde5800f212374d5/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 22:53:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63fr2pl7ruukgd3tsvlxilgi3s5tlcjdqnjkrmx54waa6ijdotkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e43a9cb578534543e39c04879feed5a1d9af3f58ab4c60f306bbedcb2be1470
AgentTesla
23253ec8ed43b22967f06038e156f5cc113f9c7b33c0ed829bf138288366aaa3
AgentTesla
559ac8d4a0d12e54467002c83f33cf63f01158a729ff2143b68a5ec42b8535ad
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
a84f11e95b767a018ebd535c055ce9dd39d0ab23bf563312092662cd8cedf00b
AgentTesla
b1db9b45aa4903a5d9086d759765f4cb76a23e601c7bfd8133d440cace108307
AgentTesla
b36448538d1e8029314a7998ce8eca1ca7af53b9ad36fd162783830e7b0e3071
AgentTesla
b5be17b9a7cb258eeeb27f08c5ba197c47e87b052ce41b150e9945b17d1308c3
AgentTesla
f0998181a413c33d7696007625fdaa39855e454ef248ca2f2368ff2618468271
AgentTesla
f5feb1c019927e3ac5eb40a94106a54cf1f1f7724332b330d26d6422d6eeab5e
AgentTesla
+ 5'474 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210602-rk9g6xcsnn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6cb1d3d7f8d28a30f739557742cc8dcbb3589238352a8b2fde5800f212374d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c07df67b97d89594ac707d30267cd6d338b3cce8164a6503f9576474943c8b55

AgentTesla

Executable exe f6cb1d3d7f8d28a30f739557742cc8dcbb3589238352a8b2fde5800f212374d5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c07df67b97d89594ac707d30267cd6d338b3cce8164a6503f9576474943c8b55
Cape
Cape
https://www.capesandbox.com/analysis/163922/

Comments