MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f8656097253e7c03da9888a3c217581e576f5062075096e2bdd52f5d6515d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f8656097253e7c03da9888a3c217581e576f5062075096e2bdd52f5d6515d83
SHA3-384 hash: 5ece63c4acf422472ac0ecaa267de5269580bc8eda7cbf8ca69d1402f7a0e3b779be4c0591c340a5a3f0abe5b1e67d9e
SHA1 hash: 227cc17bd244f99ee25f57606d3b5baeeb3f0be8
MD5 hash: ccad3400b83cee51ca4ffb6d1f8444e7
humanhash: pizza-magazine-gee-arizona
File name:ordine_90000000000.img.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'426'880 bytes
First seen:2020-06-05 13:46:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:7aUDdy6VEt6zzV+O0Q+2Gk7aiSu5euSESB0MX6rtqYuVh8qx6kn:7Q6NlV0Q+2BSu54lBDgwYstHn
Threatray 10'858 similar samples on MalwareBazaar
TLSH 78B53E27ED818647E01803FCF8271DB56A2E6745F553ABFE21760ECE6E0194A2E9703D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outokumpu.it
Sending IP: 88.135.38.169
From: Outokumpu SpA - Italia <info1@outokumpu.it>
Reply-To: evoletb30@jyzaustin.com
Subject: ordine di acquisto 90000
Attachment: ordine_40000000000.img (contains "ordine_90000000000.img.exe")

AgentTesla FTP exfil server:
ftp.lilangelness.com:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.19116.6754.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-05 13:48:05 UTC
AV detection:
22 of 30 (73.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6dfmclskpt4apnjrcfdyilvqhsxn5igeb2qs3rl3vjplvsrlwbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c2bc64a7bfeaa6b61a5094ee4562008df806659b49e81f449e74be07bfcd80c
AgentTesla
2ee5c01d6740b2f12626d965b629f396451e22badb6d209b4f988bdf5ce5fbed
AgentTesla
34cf69d94adcbf7c3646400b9d457de10e974790ffa71278291b61426005f13e
AgentTesla
3ac44f96c1937f01a4a0f0a69d1a310a8e98e5a547fad95b38afcc4030af1646
AgentTesla
72aedefba6c5dc3e13064e87ae4389a18d0293b58214a157ef4c87a8f1538b33
AgentTesla
c389014fe07b309ae01e364e5cfa078f0a8239495092a420576a7d94ec4e93e8
AgentTesla
e19036840b004b79bb9ba2de79789e5404c833033f0b22e74e8eb98c1cba3b64
AgentTesla
eaf9e97b4d055b54d926265c1859acf33153daaa94e95c23d4c0849b48c391b5
AgentTesla
ee9ee2abef95ddfdcad61d9314b9fec9deb37695427b57b85248ff3adfa8fdeb
AgentTesla
f5c5bb6cc50ad8b292fee420d4aef9d5100d6703f6ef10b52fe98d98ce9bee54
AgentTesla
+ 10'848 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-yyycyzqxe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

bec688f0bd9a8538c051cdde1ca3312a

AgentTesla

Executable exe 6f8656097253e7c03da9888a3c217581e576f5062075096e2bdd52f5d6515d83

(this sample)

  
Dropped by
MD5 bec688f0bd9a8538c051cdde1ca3312a
  
Delivery method
Distributed via e-mail attachment

Comments