MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c34622d44f5902532e5a5d62413bf96700fad63b9ceb5fe64f64e1e53c0e889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c34622d44f5902532e5a5d62413bf96700fad63b9ceb5fe64f64e1e53c0e889
SHA3-384 hash: a134d7eb8b1424a1e6386d09d944d691cbb5b95aafd5e3dde587b81a8f5161bd7e6ce868ea3f5d01633d0ef878234a33
SHA1 hash: f3d48807a19e5e7e59bb1ba0025f05d8eafcfdfe
MD5 hash: e98155dd2787910e9e037226aaae3842
humanhash: beer-robert-mississippi-december
File name:CV-JOB REQUEST______pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:491'008 bytes
First seen:2020-07-15 20:00:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:xO2iNj55h/m4RrcIrC8iCu80OLq1dzlG5tN2k4zUryzPb:Y1BR3rCiu8071dzCcPb
Threatray 11'318 similar samples on MalwareBazaar
TLSH 89A4E0DD6EA45516CA9C0EF94C61EA3006309E52F5F6F2852BD2FFAF3172790E006663
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26227/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Launching the process to change network settings
Enabling autorun with Startup directory
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c34622d44f5902532e5a5d62413bf96700fad63b9ceb5fe64f64e1e53c0e889/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 20:02:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nq2gelke6wickmxfuxlcie57szya7lldxhhll7te6zhb4u6a5ceq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ce08df0b3611911bc5afc8a1cca8ee808bcc0c4d7224910fad496244c38e47b
AgentTesla
0e1398abdfa85e32529125bf46eca2248faa7baa07f114ead8e310fc05a73beb
AgentTesla
3147804cd376f42bc7b89614a40adf096b91391c1f768e9926b69951f8e09db1
AgentTesla
4a0e435e16417fce4124563f90343d490f2b7efb9192ca11e42d593be7e8a84a
AgentTesla
61d3b16d69068afeb3bc8e202dac064f6feb408f8146a721a6b31d83c20fe13c
AgentTesla
7acb2b59ce9c0d47837e11811c93838730379cacae7bfd16d2d8db107da3330e
AgentTesla
98aa25661d1240483f21cb7f2cdade8ba0ee681fef926ff56ef6ced2c4477527
AgentTesla
9ae7fce10a10882b3ee5afd06abbb3d482fdb37ff1b80d6395e32033b5bc115e
AgentTesla
beb893e1685315584674c60f2f436c5213f0262467d3595161426b4cf485712d
AgentTesla
d62fb8c1085745bba5628a442571a54b7225f4496ad27f572798739195ebedc3
AgentTesla
+ 11'308 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200715-5d4rhzsmte/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fd6394bf28ed725aadc3876af68673e7e31e565e618d0a91dfd70f0e5fdd5fa3

AgentTesla

Executable exe 6c34622d44f5902532e5a5d62413bf96700fad63b9ceb5fe64f64e1e53c0e889

(this sample)

  
Dropped by
MD5 ce00909572007b004184cd71453f2c3f
  
Dropped by
SHA256 fd6394bf28ed725aadc3876af68673e7e31e565e618d0a91dfd70f0e5fdd5fa3
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26227/

Comments