MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6b9aa153f524bbbda4626543e2d31e9f298337270b0299996ae91920bfa3fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6b9aa153f524bbbda4626543e2d31e9f298337270b0299996ae91920bfa3fad
SHA3-384 hash: 2179b8319a19d80363ccb1172c8034fa9c5928ab22a03f33209fad489d4b2e794f280e2c06d93a86cdedcf17b96d7279
SHA1 hash: a234dcfc51e55a8e2587c311f651797e6fe9bf7d
MD5 hash: ff830e12aed6c29816feaa91bef1ca58
humanhash: high-charlie-hawaii-hamper
File name:TNT Express Invoice_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:650'752 bytes
First seen:2020-06-10 10:26:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:uaUPS+6VEJD6Lpy0vfgiemdwDZAcu8q0SzNe17KytJ2sT3pbB+RRF2cxdhwirL+r:uaUp6VEt6NgiPsZAcufeK6JORRF2cy5
Threatray 11'541 similar samples on MalwareBazaar
TLSH 99D45B3E3B44A516D13D453344E6639463B2E683BA12CB0F7AC957ACAF123CF3B15299
Reporter abuse_ch
Tags:AgentTesla exe TNT


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zeus.webex.gr
Sending IP: 46.4.69.158
From: TNT EXPRESS <service@tnt.com>
Subject: Consignment Notification: You have A Package With Us
Attachment: TNT Express Invoice_pdf.zip (contains "TNT Express Invoice_pdf.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 08:14:01 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y242ufj7kjf3xwsgezkd4ljr5hzjqm3socyctgmwv2izec72h6wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
10a218233adab0c665d5a4e95a6c9af38bc2de5e9c81e9bf0b12587780e1b97f
AgentTesla
264d7bdc0a0eb2f2fcdb842a8556b06a017d5c88a37514ce8e883ac2f00cbdd4
AgentTesla
67604b91213c3d9442511b69b3281eab2554c31ed513bbf2302d61084b0693be
AgentTesla
95062ef3493a751756d9e95af40feffbd8db26375e78ef61f894ac37534f3771
AgentTesla
b441e0dcb24fc0f0d27ac8e1d1b029eb21a3e2d4540d57ddc729d4c8a6903231
AgentTesla
bbff8963c1d1069fcc4f65429d480df9963765f29865e9b35a6cb100f8005754
AgentTesla
ca1f42badc0ae203cef8844b1432f54bd47e9bffde587cac3044ecc461248698
AgentTesla
ca86c858ff00479e660669f868a816f432751b631b5166b70c692cfc10857994
AgentTesla
daa29ab753b2c5f2234a5d86200bf1754eda38150696d10a5023264026141ec9
AgentTesla
edfcf01c73ca6335d2040ac54b4d1513a4bb1ae7756e2ead34ddb6b03fb044f7
AgentTesla
+ 11'531 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-1pp6gtacja/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a4bf168c3bc36f541b2c350d093eef0878ec8901634112b1910a52bdfc9ab71c

AgentTesla

Executable exe c6b9aa153f524bbbda4626543e2d31e9f298337270b0299996ae91920bfa3fad

(this sample)

  
Dropped by
MD5 c624bedc87681e78f038524602dfd0a8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a4bf168c3bc36f541b2c350d093eef0878ec8901634112b1910a52bdfc9ab71c

Comments