MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e85d010198944cd284d9fdc636e1d690d6c77b2e1bfabbc41e1f8941ea72332. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e85d010198944cd284d9fdc636e1d690d6c77b2e1bfabbc41e1f8941ea72332
SHA3-384 hash: 7853b41439bc6db64e6cb63df113a90f3249b87253d5a5d527d41abb1984825ddefa17bf5550e2a9ecc6d72a9e877ed8
SHA1 hash: f0dc8c71aa5413e928c6c874ecb5cc7fd3be1323
MD5 hash: 3c8a8260e765dc75ae5cef3dd501fafb
humanhash: delta-hotel-victor-indigo
File name:client whose details.xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:460'800 bytes
First seen:2020-07-28 08:47:39 UTC
Last seen:2020-07-28 09:43:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0VqPeaZKCMoarcq7nn46vtDaCUgEfZzS+lTG:sqW9FcEnDvtDaCRQ
Threatray 10'691 similar samples on MalwareBazaar
TLSH FCA4E04477F85B1FE1BABBF177B750800BB9B116A4B1EE0C7DD5E0CA15B2B644A80A07
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33391/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.373.10649.1988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/399713
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252145 Sample: client whose details.xls.exe Startdate: 28/07/2020 Architecture: WINDOWS Score: 84 20 g.msn.com 2->20 22 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->22 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected AgentTesla 2->30 32 4 other signatures 2->32 8 client whose details.xls.exe 3 2->8         started        11 wuapihost.exe 2->11         started        signatures3 process4 file5 18 C:\Users\...\client whose details.xls.exe.log, ASCII 8->18 dropped 13 RegSvcs.exe 2 8->13         started        process6 process7 15 dw20.exe 22 6 13->15         started        dnsIp8 24 192.168.2.1 unknown unknown 15->24
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6e85d010198944cd284d9fdc636e1d690d6c77b2e1bfabbc41e1f8941ea72332/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-26 23:39:54 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2c5aeazrfcm2kcnt7ogg3q5negwy55s4g72xpcb4h4jihvhemza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e928609807c597f7046341f0a335738ae8efa905be3c51de1f47d3c5ffb1996
AgentTesla
16f661258c7572ebd08fa986cfe3e2f1b24196d366d048102900e60979f42ca4
AgentTesla
2fc3c25b29d03e4e3167f874a453eb44212071490864e0134ca406ecf14d74a6
AgentTesla
39ae9bb45b4f178ecade689b35dba1ed79d686199997202995946a64f0317890
AgentTesla
638603145c3aac570237325613344a3fd83bf2fc737ee5acd8230e0ee1afb0f5
AgentTesla
65a334681f28acfaf75675f309f6f05daa3e6e3b860771730a38ee701cfdef20
AgentTesla
6a84a6afd624f252d7762e4f05125dcc731c1bc52556c5af0a9986c8149e1f1c
AgentTesla
836d479354578427f7cc678351df35175bc6e4b6a75bd936b1945b961f808a88
AgentTesla
c3418a3272d2f9a7b3121655ac783ce213a3d4557def273d3d3ae170ace88974
AgentTesla
d00396bdc41d762fcc1612605e951071919d7bb0fbce02491c805d2d42d767a4
AgentTesla
+ 10'681 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200728-a21r5ktxlj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e85d010198944cd284d9fdc636e1d690d6c77b2e1bfabbc41e1f8941ea72332

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 32b1822d98b4885a52ca88cc24f314a0fb8a72091a4c257f51e95b14035a5f3f

AgentTesla

Executable exe 6e85d010198944cd284d9fdc636e1d690d6c77b2e1bfabbc41e1f8941ea72332

(this sample)

  
Dropped by
MD5 351769ca241d7397047fad92e166ad48
  
Dropped by
SHA256 32b1822d98b4885a52ca88cc24f314a0fb8a72091a4c257f51e95b14035a5f3f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33391/

Comments