MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6edf1d434f6af782872d28d8f2729b2fa69825adcf33b299d49d71190532f73e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6edf1d434f6af782872d28d8f2729b2fa69825adcf33b299d49d71190532f73e
SHA3-384 hash: f9e2f826b5f0bcfb9fb9fcd00988c4fcd7bab11b5dc0ae3c04a93349ef544eeff2fbf303f293aa9b7aa8e3e9838ae360
SHA1 hash: cbe9857927fcc8f59d544f67be7a936f7800746c
MD5 hash: 8cb02f972eec3899494d17d0b147476f
humanhash: salami-jupiter-idaho-three
File name:payment10.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:491'520 bytes
First seen:2020-06-25 09:34:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:iT8NNn29zbJjbriCpXi0I9YaIGAnfEV9:iT8NNnURjbrin0iIGAnfe9
Threatray 10'597 similar samples on MalwareBazaar
TLSH F1A40210379C3B2AC6FD93B915B6918013B86A773211D74F9E9872AD2E73BC08522777
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp2.africa-online.net
Sending IP: 41.190.93.230
From: manager@ufulugardens.mw <reservations@ufulugardens.mw>
Subject: Credit Bank Note
Attachment: payment10.img (contains "payment10.exe")

AgentTesla SMTP exfil server:
mail.worldafricasafaris.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14130/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.44022.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6edf1d434f6af782872d28d8f2729b2fa69825adcf33b299d49d71190532f73e/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3pr2q2pnl3yfbznfdmpe4u3f6tjqjnnz4z3fgoutvyrsbjs647a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
051d14efd4c327560664310cc78e965de3929950864050ac20b121a7afe8c10a
AgentTesla
053bc157e442a323430782ea3b5b79848ea70ae93d94979d1362ab4f39392eed
AgentTesla
0dc3eca1aa41121ab6ca32b24b95df9413a50074dcac916efdaf0b47560495ad
AgentTesla
1d9fedc306b15f10764273e7569d707b02b910900d4001490731f53899c2ce14
AgentTesla
5dc1d79fcbce0ea9bdef1de3289b95c0f8d7e3d6ece49b6e7526a46d0a2ccbd8
AgentTesla
8562c1e0b98bea014ed4cabc3b74cee7e4616d96f3d20ec6f88352b97fa4fc8d
AgentTesla
b9d2e9ef5ac762cc3961f222eab3b94a0d8b73e2fba5ef7ecd148fe016945f20
AgentTesla
bd66f4581d2957904f503e0ac424c89e1681763d0395c4e03434cc909ed0f490
AgentTesla
be39cd2009d58faaf2e47de4717b5a4d59df17cc1f0850f299c8388ab3d3bb42
AgentTesla
dac01bbee08ffda9dc50c1f7244ceb96eda1807ec707b72d041443fbe55d9bab
AgentTesla
+ 10'587 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200625-fz3pd8g62a/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img ad62a4f82314c97a1b0f435192091b8471c0676f8de65b118cb5b7d3fcbbc6f3

AgentTesla

Executable exe 6edf1d434f6af782872d28d8f2729b2fa69825adcf33b299d49d71190532f73e

(this sample)

  
Dropped by
MD5 152f8632f6c786d3c9e8850ad4422dcc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ad62a4f82314c97a1b0f435192091b8471c0676f8de65b118cb5b7d3fcbbc6f3
Cape
Cape
https://www.capesandbox.com/analysis/14130/

Comments