MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a31202250692a5fc5db29563f8b1f9cea0e2b77fe0261df224717644347858f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	6a31202250692a5fc5db29563f8b1f9cea0e2b77fe0261df224717644347858f
SHA3-384 hash:	3c976c40c61ff879e2f9e38ff78e522fbfc1e35cb3b9447a84f3a394ae51538599000d170942a3f2a34747f232506de5
SHA1 hash:	40bbdf03a721e23c4a614b9e009467c56ce61f3b
MD5 hash:	ddcd3fc95fce40003fd3655e60b1e89f
humanhash:	beryllium-green-wyoming-blue
File name:	1C.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	397'312 bytes
First seen:	2020-06-21 07:32:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:XZ72J0aM+W1jvqYDb0U2AdYRmFFRSSl3TsjEAGVkFWyyaoKR+zXbPVGd:p72JejNb0U2Ae0wSl30FWaoKKbPE
Threatray	10'637 similar samples on MalwareBazaar
TLSH	8684DF2232A87DDEC55E463E6870D32107BD26173C43DB4FDF680A9D2912ED94A52B8F
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: alias1.industralnews.com
Sending IP: 194.34.249.254
From: Sales <info@industralnews.com>
Subject: Plastic Order
Attachment: Quote Request.zip (contains "Quote Request.xlsm")

AgentTesla payload URL:
https://marketinfosales.com/Quen/1C.exe

AgentTesla SMTP exfil server:
mail.marketinfosales.com:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

93

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12349/

Detection(s):

SecuriteInfo.com.Variant.Ursu.911014.4018.4755.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-21 07:34:05 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

1de6d8667da47acd79149ba091ed36cf9e6b40e469ac7e49299792c72e21e764

66a8c938adab25455ae47bf87fb5f2f17954f5a7a65434171b0e9342fbd76770

6e3a137a621b11e16fb46aa747fae37564a0cd03e57873193fa5f772a5822628

7fc9466732f48a13fba7f7169c3eb19bf021d6adc63957ee1c5d57910887782c

97c3cf905c068daf00bbc9c10810ff4437d953c3263e962b0454d0babcfe5494

a9f98038cac91d7d9f92301d7738f9187fdc1a879aa9db3373ce1fbe1bbd6eae

d0f4e90da1cf7b70ef688b9bc4f10a460d747b792f46d91f139e8cd05481059f

d1af73fc3a8feb9a8254eff6a4a94d1637593ade739fc42da2a4907029fa03e2

dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f

f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281

+ 10'627 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/200624-4aztdk78p2/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

75d8b241dfc582c87a72fb150e5e18f3

xlsm d1af73fc3a8feb9a8254eff6a4a94d1637593ade739fc42da2a4907029fa03e2

exe 6a31202250692a5fc5db29563f8b1f9cea0e2b77fe0261df224717644347858f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/399962/

Dropped by

MD5 e3d5b6b850b1474d52568173b23f7098

Dropped by

SHA256 d1af73fc3a8feb9a8254eff6a4a94d1637593ade739fc42da2a4907029fa03e2

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/12349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample