MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cb59c403d44f189cc1fc19ade756c48496f7e1c2a1c981a86ae4ed78546174f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cb59c403d44f189cc1fc19ade756c48496f7e1c2a1c981a86ae4ed78546174f
SHA3-384 hash: 095d8b572958027a2aac7fe9904ef348fd3310850af5e7afdbea43cd13e42ba4a3d75af278511a005840014c39faa429
SHA1 hash: 5b12088ca4ea53a166ffb457b0d0d0d269a4fb53
MD5 hash: dc59171acfa62d55376143740cdb1e31
humanhash: alpha-april-virginia-colorado
File name:Order011738PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:668'672 bytes
First seen:2020-06-16 11:40:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:nZm49QjSTH36VEJD6Lp/kFDpEwtkYe2Iq6gSOCEpFggtrMby3udBiw1:B9QjS736VEt6G6KDbXgM
Threatray 10'882 similar samples on MalwareBazaar
TLSH 49E45B3A7785A815D13C4A7240E5679072B2A6833E02C71F79DA979CBF027CF3B29359
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.eben-ezer.es
Sending IP: 146.255.101.138
From: Serlingo Facility Services Management FINAL-01 <administracion@serlingo.es>
Reply-To: worldnetofficemailer@gmail.com
Subject: Payment_011738PDF
Attachment: Payment011738PDF.7z (contains "Order011738PDF.exe")

AgentTesla FTP exfil server:
ftp.bmdonline.ro:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10949/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 11:43:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ns2zyqb5ityytta7ygnn45lmjbew67q4fiojqgugvzhnpbkgc5hq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
025dd1259e4f221e25144622733ef5de70d4f6fdfd9ec3e23558529f2ba80fea
AgentTesla
0c630248507337f2835d5ff76bcadd48aca15cc50c4b334eabea3a93bac8a6cb
AgentTesla
1e4142cd35d6a084523300f2a21b42add23f4292002452064360e457a12b5772
AgentTesla
64f0214a1438a825f551e2113d911ede56cfe3bb26f4e4003ac4bdb6cad3995f
AgentTesla
8df93ec87b8e939221fa7ef06a7b7caa881a9d31c11b432f389e41ffdf500c88
AgentTesla
a576e8f3b6908a56d86f470f8399a7f2d73d784f4534637a083feb395fc14319
AgentTesla
a8ec57a26ec4c0a4dbd0cdce3e4a1bea7d77433160f0a48737e0df9e203da492
AgentTesla
b4e4955cd0abdc5df6d5e1db5d58f3b0f1de491540371e919941f6dc9741f23e
AgentTesla
b6475693b118bad18f4d1f7fa61e55b3e3cedc68ac6a6c07891a6a4e329f949d
AgentTesla
cc6d907cd248ce25a61d6d7b998e8a7ec6e5ee7e5eb63334365601efb9ee2c8d
AgentTesla
+ 10'872 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200624-5xta8rvlvs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Program crash
Modifies service
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 385c6146f72e41cecd99e18bdfe42f5047d0467bb3ae4d724f69fa753fec2da2

AgentTesla

Executable exe 6cb59c403d44f189cc1fc19ade756c48496f7e1c2a1c981a86ae4ed78546174f

(this sample)

  
Dropped by
MD5 a5cfc0c41d1b3f6ac1a0ec1db8e6297b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 385c6146f72e41cecd99e18bdfe42f5047d0467bb3ae4d724f69fa753fec2da2
Cape
Cape
https://www.capesandbox.com/analysis/10949/

Comments