MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6f693ed2b9d397d19ea2aca1eaadfacde19e8c89cad22edd2fff3885048ff7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	d6f693ed2b9d397d19ea2aca1eaadfacde19e8c89cad22edd2fff3885048ff7e
SHA3-384 hash:	3ac1bf8fed50af1b1ee49c101090dec8f5b90ab4a9a725d458bffec944b781c0400627f71791b13fa86dad7c4658a95d
SHA1 hash:	2ad4997706f33471d383018e2f2a8d2a24c09e8c
MD5 hash:	885974c8042ffcb2d773ce0b93acd826
humanhash:	paris-steak-bluebird-south
File name:	RFQ.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	771'584 bytes
First seen:	2020-07-20 05:06:12 UTC
Last seen:	2020-07-20 05:38:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:Qlq6KltUaGkL2GLmn/Na0EBmE839NIXtmLtPgudVGJNk1IJzX8Dbvx4S+rMyJ/qC:QMfUaGWFaMsDNIXtmLtxdVGgcX8+Ni
Threatray	128 similar samples on MalwareBazaar
TLSH	2EF42938F9826805D83D053788B4658126B0BF472B2DCB1F79B6339C5F331DB2A96D5A
Reporter	JAMESWT_WT
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/28506/

Detection(s):

SecuriteInfo.com.CAP_HookExKeylogger.9841.17715.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %temp% subdirectories

Reading critical registry keys

Creating a file

Deleting a recently created file

Reading Telegram data

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a TCP request to an infection source

Stealing user critical data

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d6f693ed2b9d397d19ea2aca1eaadfacde19e8c89cad22edd2fff3885048ff7e/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-20 05:05:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=233jh3jltu4x2gpkflfb5kw7vtpbt2gitswsf3os77zyquci757a._file

Verdict:

unknown

AgentTesla

2e50f8b1d260cd858d97aff46f8c157b940d6db17673ec99f9304ac963f32473

AgentTesla

2ea83d557d9b9fcfa771dda7bb75fadde4e7a3d7f4f66f3fef23ecf758f084c0

AgentTesla

8a8d6c0a19756e1f4461eecf65b83d5dcf952e7fc082aa088d081245b2f925f2

AgentTesla

9090ff2fa6c1c2e9a1df238ee496e6dc5d181bed150a93b47626b3e3343b767f

AgentTesla

973de14a37f6408161ec0ec249a50527d3cdf4bf7482a67134ac7b0c9e3b7a25

AgentTesla

bcc0be90110b3b960230a366f1be67904704f87645ff5fde69536432d73feace

AgentTesla

c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5

AgentTesla

cf8d42cb55e45c4d75fae6e07b6802ae059fff427510b16e754d36e522b28a80

AgentTesla

efe9be78a8da440c576162c8bd5498972ec6134b4276c05acb6a3b060a4013bb

AgentTesla

+ 118 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200720-sywp3kvl3j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d6f693ed2b9d397d19ea2aca1eaadfacde19e8c89cad22edd2fff3885048ff7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/28506/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample