MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f5cb937ebbb23ebe4b3d60a619db924ca931a38cb90abde410bdb829c987723. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f5cb937ebbb23ebe4b3d60a619db924ca931a38cb90abde410bdb829c987723
SHA3-384 hash: b6a284079aecde456e7f609b2eb84a1f2f198517c058dbac896f1544cca40d47adc50c0ea06cb8474e82775fd8be0599
SHA1 hash: 7683016f59907f355ac927d953b93e8257be4cc6
MD5 hash: 226f86e26858c872c666c9a50e1b8f5a
humanhash: charlie-vegan-golf-fifteen
File name:SKM_C364e19051509200.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:516'096 bytes
First seen:2020-04-30 08:49:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UbRRjXtxRi4Q9LnG2FZYx5XmVT5jOH0M51li8HmjRz2V:Iz9xqhG23o5XkThOVgz2V
Threatray 10'637 similar samples on MalwareBazaar
TLSH 03B4022333DA9A07CAA90AF55813220007F49F4B5913E7CEADD477FB16B27D16A06793
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: burlywood.elm.relay.mailchannels.net
Sending IP: 23.83.212.26
From: Gloria Zegarra <gerencia@insumedsac.com>
Subject: New Order - CKA Holdings
Attachment: SKM_C364e19051509200.cab (contains "SKM_C364e19051509200.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 09:36:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5olsn7lxmr6xzft2yfgdhnzetfjggryzoikxxsbbpnyfheyo4rq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
065bc29beee579f4df10691c61b9d3bc38ac4c271da4eb2e1ccfce7a2e33dd93
AgentTesla
177687add01e6a7555b0d3a89296e9f78db3df022804e5c74dfaf45f3561b5b3
AgentTesla
27e0f7e971ba78022104ace7a5b679e58cdb7ed7db9c7871362fc19a5a6ee3d8
AgentTesla
4541009b314198e7726a3c82c52b53b421699f214398a8d22109419aa228fed8
AgentTesla
464f46912f42329070918fa31d13f9bd4a9288c1178f2586ded54e8e00bba5bb
AgentTesla
7207b499520093d020dea1f5cda54b46f389f6c1ff8da0a5c9feeb1f0266177f
AgentTesla
aef64c6cd279ba042b259ab95a0387609e76ad490e0bb07244779845589b8626
AgentTesla
bb8b06ada96296ed57372c977fd4279afd2d273cb3613080b243f15936c89096
AgentTesla
bcc18ed33180e9661d41fc120c6008875fc214c569cc5e15a87fa93fd9e4f5f4
AgentTesla
fa3ce577f3f1fff59835222b4a67d32900b0e49fb5d7f8bd0874dfc75092a2e4
AgentTesla
+ 10'627 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

1e651b02e69ff580d1fc0220b1f54124

AgentTesla

Executable exe 6f5cb937ebbb23ebe4b3d60a619db924ca931a38cb90abde410bdb829c987723

(this sample)

  
Dropped by
MD5 1e651b02e69ff580d1fc0220b1f54124
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments