MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fe2e83b790e28078c73669c1eff1e47bb1f8178d58535f638c5f2f561ff496b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fe2e83b790e28078c73669c1eff1e47bb1f8178d58535f638c5f2f561ff496b
SHA3-384 hash: 330763936cd9107db88d2f239046b07bf3becc7e49aaf60c2f1b4a410eaecef0a315a03150f4042a5b96126d00d1074e
SHA1 hash: ae42201cdb5edf87502b81a4feedac7de0dc4ce2
MD5 hash: ce45ecba9cbb43f9119e0e37d869028d
humanhash: apart-rugby-solar-fish
File name:PO-O3465-0001.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:998'912 bytes
First seen:2020-07-07 05:44:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:FAN3X8+TthF1QU+BHtCOZWDTLtpNA8Qqg07ZMLgmSGxbAalpIdJ0:ZU+xByLtjoqg07qLGGxbAaU0
Threatray 10'819 similar samples on MalwareBazaar
TLSH 1F251833216E8983F4750DB1BF14DE040EAF4D471B1BF5D8ED8978C3A7FAA806586896
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: afnet.net
Sending IP: 45.138.172.20
From: Lai Yun Loong<rkz@afnet.net>
Subject: purchase order.(PO-O3465-0001)
Attachment: attachments.zip (contains "PO-O3465-0001.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21816/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6fe2e83b790e28078c73669c1eff1e47bb1f8178d58535f638c5f2f561ff496b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 20:52:21 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7roqo3zbyuapddtm2ob57y6i65r7aly2wctl5ryyxzpkyp7jfvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e1a825c158fefa17df9237a4be60bc99e1a2a42ded631c8636b6af668b1627f
AgentTesla
34fe86d0bfa9b01df1b5032307fcd5db980cb32a12bb6320772b99a0e1d2cff8
AgentTesla
353be7f64ffa25bf3d8ea90b55b9b288633883f00f328841007f82324a37a4d7
AgentTesla
70ec219c395c643882ed26e21757a273a3ca5072b54934c8cbe17cb6809b31eb
AgentTesla
954171c43ee36bd140f210f717cfd680607c10d761a425e5a7306fc28c983d2a
AgentTesla
b9a6dd35f9ca163d4e76a25d642ca7a580272ea7886a6a639273ac5b732e9f8c
AgentTesla
c2221b7f65afde44bb459fec37286e4ad1f032d30be34d04527497c4b6acfdbd
AgentTesla
cdf43e36edf4aaa17906bf552cd65351d9b6e66a77356f91cd819874cf531e03
AgentTesla
d1fbc7054235d4485a668fd7da82d4dd71e9c0b387c3214c9a593213634a5fd2
AgentTesla
d63293a1c8b19e0a042d92655ffa095412af2804a2523b31cfeb4e11e1fb772a
AgentTesla
+ 10'809 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200707-87mlhtmls2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a76f407893d7d8961ec227ce4bdf382a4c90bee0a18245ba14f7171ffa800cfb

AgentTesla

Executable exe 6fe2e83b790e28078c73669c1eff1e47bb1f8178d58535f638c5f2f561ff496b

(this sample)

  
Dropped by
MD5 87c412498ba67ac65c2aa7e348d26d44
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a76f407893d7d8961ec227ce4bdf382a4c90bee0a18245ba14f7171ffa800cfb
Cape
Cape
https://www.capesandbox.com/analysis/21816/

Comments