MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3
SHA3-384 hash:	e75e6f00fcdcfda9ab6ea54267c4dc5bfda4bc14a78864e3ad910e32c7a96c7e0ac2db3461108126f299af1e33f03707
SHA1 hash:	072af6ad363874ab2eb4a365ad449983b144f2ff
MD5 hash:	a7b1f0663d3c5dbdb4e5c8242981dcaf
humanhash:	table-four-apart-football
File name:	COTIZACIÓN.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	830'976 bytes
First seen:	2023-10-11 16:52:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:H7tUF6iGjItxdCRnPLJZy8Tzh3GjXWpE:HBPiOQxUFPLJZyC92GpE
Threatray	171 similar samples on MalwareBazaar
TLSH	T15505077C15689A8CF7A482BEB2724CFF57923C1F40B7B5F7A12CB4970EA97D24402661
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

286

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

COTIZACIÓN.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-10-11 16:55:52 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/1c3020d8-99e8-4290-9a16-da223fa017da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/453321/

Detection(s):

Win.Dropper.Malaz-9939293-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6526d2f19b16696e9f9b199e/reports/ef3fbeed-0b79-4d98-aed2-0fc375176423/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/57aa151a-eaa5-4b64-ae94-8a5561b0db28

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1323908

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-10-11 16:29:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 38 (34.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=65ggupppdtwsu3slzap6yg2payxluz6oe4okjjdsofrrtbvg2hbq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4

AgentTesla

493e3d54159cd3ebde6aa0b5216ddcb14863b4b064bb80c654353838926d191d

AgentTesla

6703706a8c532bece036e36fc650fc082b04c5b771e5c2458adf28fdc667ad97

AgentTesla

6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87

AgentTesla

74a84823c35436e2a73f303aaf86be5d2c59f025c948c0044f948d613da91870

AgentTesla

96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd

AgentTesla

b73234fec5a6cbf5e739a75ce9aa9674f11dd409a81c740f009e1bf18c767c94

AgentTesla

d52275a861a9396629e78edca76c3b3cec55980115feadfd0e93ca9c400bbffa

AgentTesla

e579952e0a6c558c001274aa13e6ac8297a3991497f0163917e6db3a37430f83

AgentTesla

+ 161 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231011-vdy32acf34/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

a040efb5ce92995b5d40fd2536c8ad6a93f2d8584a3dd52f07cdb0b34c9e6e29

MD5 hash:

a5a52675690de850e3de6c05a9bd885f

SHA1 hash:

fd953edf2e910fbb43c9e6d4c8d48632bb4e55c6

Link:

https://www.unpac.me/results/1ae9f053-b5f8-421d-bd24-35d0abc78925/

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/1ae9f053-b5f8-421d-bd24-35d0abc78925/

SH256 hash:

760724d563c9ff74797b80dfc7db4094e8c1680031acb1114c26382a611704de

MD5 hash:

0b3dacb1f05534a524fa742544029386

SHA1 hash:

845f72d998b3a68ffb5288a8c433600369393815

Link:

https://www.unpac.me/results/1ae9f053-b5f8-421d-bd24-35d0abc78925/

SH256 hash:

10278cf5ab1c5f5546dfb1304bbda18ca675a0e8e1349dcb0ef31ed6194faf8c

MD5 hash:

38fac24186205e7e454668f493ee4be8

SHA1 hash:

0c0b6cf267e9ce8bee16231bd1de791cd19cbb0c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/1ae9f053-b5f8-421d-bd24-35d0abc78925/

Parent samples :

10278cf5ab1c5f5546dfb1304bbda18ca675a0e8e1349dcb0ef31ed6194faf8c
d975b68c91c59dddb7b6777f6f2f78300ddd9be5c51f483994ea26106839a017
fa882068acfc15aaea82a925df6e6bf21a2c24c114f7f382cf524431690c4b0f
7b37b945add0e6c872027313e3e011bf368c5cd038d48d3f719e6f08927af861
de96b58170192186f3f118155903287e871cd7c2950900645367527129b375eb
865a96900b64bb3aca2d50dd65ab111ec881db5935f1dfd753dc48ce6cf21532
86233dde1f7f4fc654835a61c19c671d221a8b6c60c2b8bf47971a09a9b834fc
17b7a8bce60617c9f97a3464bbdba87d94da9c08b533fc07f3727376feae538d
798a1dd333191702e1ada41a7d113ebf25f611e17562d9466d0bfed0d0f87271
e3699bdedcf4bebffc1e2e2af639da53dc9abd0e7bcb4e917def61a01a880b69
bec9d10adb4629b7438c1450a378f704130f925170978084564a89c2e5f8ccb0
ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8
23a188b67111d6c67ba62e1588479154ca23c4c65d768a662b873757a3419ed0
845bd19a89db0310a363f915e1e92d5e1d2943bd4cb0f9422368d563de2d850d
94688cb7dc0518d6dd77ca23bc6b591bb2be55d9006d91e3ef074b96ab638842
b905e2aaf41c07e00b4daf4c1d473a43880057be0c95268a5c4eb8c838f80c2f
7c35caefea294401fee0251043f126c752de452da6e0376e5f959f6dcc688796
6c42ee7167cd0229fd37b09bbfdd37f5454786457284a4c97583832d86af01e2
0b282c5279640f86929276ce1a52be1ec7e892701954362e5568f254101880b5
74a84823c35436e2a73f303aaf86be5d2c59f025c948c0044f948d613da91870
6703706a8c532bece036e36fc650fc082b04c5b771e5c2458adf28fdc667ad97
f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3
ca5c1fefe9b9347b995dc040b7e50b867be70729041afffd475ce7856f394f5b
bccc2a1036cae75070c4f2df937c91cd36f718a7956103abe42b99d01b4ae044
197340e586131099b95d8d2fb46791806f018fd643172e841cde25bd436b90d8
7df6c33cbd852c467ef5a454451436e31a48d360a4959224e11a79ab4ad10f91
f1766635b1f5e7015ff13d8b6998366b45550d8be505f002b8e6192db3e503e7
be10a38e0b54ec2152d5b6094ebe296db7ad897445a7d5a4b1bd82789437dd65

SH256 hash:

f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3

MD5 hash:

a7b1f0663d3c5dbdb4e5c8242981dcaf

SHA1 hash:

072af6ad363874ab2eb4a365ad449983b144f2ff

Link:

https://www.unpac.me/results/1ae9f053-b5f8-421d-bd24-35d0abc78925/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f74c6a3def1c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453321/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample