MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c6f455851b2d70a8c2ffe6561544081b3c98a2e45bf0faa3c58785faefec386. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	4c6f455851b2d70a8c2ffe6561544081b3c98a2e45bf0faa3c58785faefec386
SHA3-384 hash:	e52bc5518114d42ccb3f89342068bd9693a1b53d36696b3cb3bd84189e7743fa27c30f19a4c5fedd07eb958c82889e96
SHA1 hash:	ce98478e59b53d08e30d6118bf0c5569f198cb3c
MD5 hash:	1823826b6ff7a839483eb3fa225fc4a5
humanhash:	ack-social-maine-green
File name:	Scan_Document.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'022'464 bytes
First seen:	2020-07-18 07:55:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2050fc6fe8629092d6969251a507616c (10 x AgentTesla, 3 x AZORult, 3 x MassLogger)
ssdeep	24576:niyCa7qmd5pLQyir/N+XeB8t4cidRC9p2Fp:niBPq5adL4YlC9p2P
Threatray	11'812 similar samples on MalwareBazaar
TLSH	95258D32A6B1CC33C1721A7FCD1B72687D2E7E512928B9457BE47C385E3AA50352D287
Reporter	abuse_ch
Tags:	AgentTesla exe HSBC

abuse_ch

Malspam distributing AgentTesla:

HELO: staging.maykenbel.com
Sending IP: 195.12.49.182
From: HSBC Bank <advising.service.45111388.809972.2660902352@mail.hsbcnet.hsbc.com>
Subject: Payment Advice 08/07/2020 - Advice Ref:[GLV924565043] / ACH credits / Customer Ref:[C27-20190911-142533] / Second Party Ref:[512389801785]
Attachment: Scan_Document.gz (contains "Scan_Document.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/27655/

Detection(s):

Win.Malware.Smdd-6922230-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.2197.30182.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Creating a file

Deleting a recently created file

Reading Telegram data

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a TCP request to an infection source

Stealing user critical data

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4c6f455851b2d70a8c2ffe6561544081b3c98a2e45bf0faa3c58785faefec386/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-12 00:54:20 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jrxukwcrwllqvdbp7zswcvcaqgz4tcroiw7q7kr4lb4f7lx6yoda._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

80ee42d530f42fd7717450f85e3e68dbea5e0dbf7c856a381dde02c7dfb5b5cd

AgentTesla

923d6f2e83a74acdd4e501f42f737b720ab266e1ed7312994bd99e259bd15464

AgentTesla

9be148a7dda520e13c81cdc99219724ca8be064a334f0efe88e2676046e057a8

AgentTesla

a550ba5d41e52b9e136cafbfcdfe92148a0111a0e75a5ec3073ddbc0d965de55

AgentTesla

b71109b9a502da42f489f292bfd9ac77e4e0b32325c3b7f20c4005b9d0407a90

AgentTesla

dc22c2145431a6ecc75ef2f7271120d8e102cef7faeac96d1d1d6ffb9b680ac4

AgentTesla

e856965f1981e48f4f077960c75f10c352ee8bc792776e69d4f83c3f99b9ad1c

AgentTesla

eba71d34064a16351e9b19b46abdf4240ff2ce39d709a7d6c636c06327b561d2

AgentTesla

f6cbd42dd07aa22dae1ad0617e9db28998f73d8fa1c528ded46ec284f05cad12

AgentTesla

+ 11'802 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware persistence keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200718-gl2fxdvl8n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Modifies service

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c6f455851b2d70a8c2ffe6561544081b3c98a2e45bf0faa3c58785faefec386

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar