MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47e6fd93cc7d879c970280e4bae5c2bad2ee63e4c9838a453c56dc5202a98bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47e6fd93cc7d879c970280e4bae5c2bad2ee63e4c9838a453c56dc5202a98bdd
SHA3-384 hash: 2110511ed137786d6bc088b552a788f26e11436f52143f4cd990490298064aee4da4d7b5ee04251bba01d879d7625fb3
SHA1 hash: bf469aa334afffec5d38ecb002b698f985f367ab
MD5 hash: 862c13e11a4e51ebc28f3cbf9675869a
humanhash: ink-summer-emma-bluebird
File name:f634s6d8rGB5Xms.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'207'296 bytes
First seen:2021-07-01 06:27:44 UTC
Last seen:2021-07-01 07:57:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:snr+s3QW8E2RhzhLSfnnOk+uw5e2tR0OFJYM/mOU44V4g9SQxYMVd2dehh:W789hzhLWIuea8jOj5SpMV+ehh
Threatray 6'569 similar samples on MalwareBazaar
TLSH 9445D00BF605DA46C8952238DCEFC27413B5DD867D12CB0B2A997AEE3CB2611CD553E8
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f634s6d8rGB5Xms.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-01 06:29:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8098ef6-bfcd-44d8-a849-ee2b36a6e9e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169061/
Detection(s):
SecuriteInfo.com.Artemis862C13E11A4E.26513.4806.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e7993fe-c126-4de7-bf98-2a68ce6c7883
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810357
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47e6fd93cc7d879c970280e4bae5c2bad2ee63e4c9838a453c56dc5202a98bdd/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 06:28:11 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7tp3e6mpwdzzfycqdslvzocxljo4y7ezgbyurj4k3ofeavjrpoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
067173ee180295fa8ab38ce36f7fac2c29aa554e8d814054c549f443ce33a4ed
AgentTesla
0f8ce6f5eb21291a23305d675444658dbe619d7a9131c4bda4b49d20d60afeec
AgentTesla
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
3f2ce17fe342c19e6ac9890f379841df3c448099e6565b9906538b463fc02932
AgentTesla
7ec0013035b5a6c21985a1094de2f2aace63b0b7a3cf2262798a1bffd19aae8a
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
eb477109f194850024798eb750fbf01dd36027a1afcb559a539d988f382de5ab
AgentTesla
f00b76191455603bf8d2581005dc19af75847b1cb8460855288476d068517871
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
+ 6'559 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210701-shsr6df6ys/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/6c5f29c0-3aaf-4825-b94f-bc14bcf79812/
SH256 hash:
91809f716b3bb980c7d55dad96e6d2e572f151a13853313d6c6b3b3c06ac6f01
MD5 hash:
6a1250edb246988fc1e4d4243662faea
SHA1 hash:
7ecc762ebc7feb1719fa09922e9a53d09f38ae01
Link:
https://www.unpac.me/results/6c5f29c0-3aaf-4825-b94f-bc14bcf79812/
SH256 hash:
16cedf44a540d3758e5bfbea7366a2762e452c7c4020690127a7a66114274683
MD5 hash:
99655783ba4635e5377e9ddc368d234c
SHA1 hash:
50590e59a51af89cc8f31becf8e3357e9b564dd8
Link:
https://www.unpac.me/results/6c5f29c0-3aaf-4825-b94f-bc14bcf79812/
SH256 hash:
47e6fd93cc7d879c970280e4bae5c2bad2ee63e4c9838a453c56dc5202a98bdd
MD5 hash:
862c13e11a4e51ebc28f3cbf9675869a
SHA1 hash:
bf469aa334afffec5d38ecb002b698f985f367ab
Link:
https://www.unpac.me/results/6c5f29c0-3aaf-4825-b94f-bc14bcf79812/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47e6fd93cc7d879c970280e4bae5c2bad2ee63e4c9838a453c56dc5202a98bdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169061/

Comments