MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6
SHA3-384 hash: 10a460bd1ee69da0af3e918885f98d9ab58c837def994c37e018ef29089a99fbd44ffb2b33d5d072f29cf10f116837ad
SHA1 hash: c833b6d3d6daf09ba2bc456157aac5c517dc3895
MD5 hash: 75346fc05ce9a0921add66bfe01fb2e2
humanhash: echo-rugby-saturn-freddie
File name:Stone Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:579'072 bytes
First seen:2020-08-11 14:08:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a18a672aeeae86dc8783de7e30f7d80d (2 x AgentTesla)
ssdeep 12288:CgBcdEbbuk5pJG6WWDVBFVMEd+33xBJrh9Bc45xS:nySbFBFj+Jrh9B/5x
Threatray 11'089 similar samples on MalwareBazaar
TLSH 65C4AD43B651D2E3DD06027874A2E7E649223C382115EA0BF6C7377A3C757AE9682F47
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: HOST8DNSRAIN.home
Sending IP: 103.235.105.76
From: paoloinvestmentstones@gmail.com
Reply-To: paoloinvestmentstones@gmail.com
Subject: Re: Quotation for Irregular Slate Paving Stone, Irregular Flagstones, Flagstone Road Paving, Flagstone Walkway Pavers (Buyer: Paolo Faruk - United States)
Attachment: Stone Quotation.gz (contains "Stone Quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43490/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Sending a UDP request
Launching a process
Modifying an executable file
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/419228
Signature
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 14:10:09 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=np5o2syzl6v6gtmfsmdwa2vul5f6qbyc247gb36ogfd3hj25jd3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4c1a433244a83a823b97c4739c5ef1d79f078f0072d580046e295e6c0271f464
AgentTesla
5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7
AgentTesla
5e2b50ea71dab4a9890936aa161e9063c33aa43088bc88ed55707b6684aa0f46
AgentTesla
67147087feb1efc01a641bda1a605bf30457f1cbc8b0143aa997b3bd323e66b8
AgentTesla
7dc693a09183412e6567e278cad02a34b8d4779ba93fddf8c34b1daaf78400e1
AgentTesla
892903d839863e0ffa2f8d3566d03f95f1d06dc3de55de766f37b6b04b3a608e
AgentTesla
975bd764510169b28cbde394746ed4c26b05ce0465c2184873d5e1c6e14bfae8
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
e938ade8d2fa23f38ba4bcbf425863e5966e19a215ee351d83bcb3d70dc5b8ec
AgentTesla
ef7a8f1478e57d2dedf96a00501903b7b5a571680286502f2f329ed2c8728b2b
AgentTesla
+ 11'079 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200811-mjp2k4yxwa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5c144627697438d385f2fe493ece0aa8edf19e106d195595f85f863b91c7a6bb

AgentTesla

Executable exe 6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6

(this sample)

  
Dropped by
MD5 70db7ce65a90d73ba6457e593c35ea44
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43490/
  
Dropped by
SHA256 5c144627697438d385f2fe493ece0aa8edf19e106d195595f85f863b91c7a6bb

Comments