MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af
SHA3-384 hash: f837e5245d1bb4950ff6a01efcf0b07d34befa168e88df95a466811913243e58ec561c06f77c8e1a283c6aa6c549473c
SHA1 hash: 21838e3b8a8410ac5d83dc01086113b172c12301
MD5 hash: 128feb2ff433ea2688a0144a7845e0e1
humanhash: fifteen-chicken-avocado-johnny
File name:New_Order #20201103_004178.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:915'456 bytes
First seen:2020-11-03 06:26:15 UTC
Last seen:2020-11-03 07:57:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XMSXlEBGoVbYGOCmpqcbXDc6t0C1jfYpKVedBLosoOwLvNrgkAyeKxZP+JDVuisA:XAOCmbbT/0MYIeLE9OEvNr5GVDVFsf
Threatray 910 similar samples on MalwareBazaar
TLSH 9215BFFA6286E66AC40F003FF84B256193D9CB2D99FD804647C9B11D137C6DE96AC4CB
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81952/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.29125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518863
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 03:19:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=makkx7z7ra76wqczhd2umjs3zhlp2wqds53y2eh3xt36picdocxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2da02cb0f56579332322d544b18a172c8a3ea6f9506bc9e4a014943ebf174c56
AgentTesla
3ce4695af91401e898d1819f320779c68bf2bb8da493f222590ab537aa272c18
AgentTesla
63adb2924e560b5372169c820684773bba83fe0ab3e0b51ecf3192b0cda9d774
AgentTesla
6dcc42aad646c84eadd068ea14762f62a5d769a6e03b65a859edea2749902dce
AgentTesla
a7e8c4d24e013f48bed29fb9a5f0d80c60be249862213e142c7feb47f07ac39e
AgentTesla
aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240
AgentTesla
b2a4c9e1fbafc010c19f17103ed3454b96fd23e047a6a03cb01ecdc9f026709e
AgentTesla
c2f1ec82febf0068c88740b94b858d400c40bc8bf1b368bc7c8920c138947b7b
AgentTesla
c64b982e4d39e00892526dfe075b7a35448b5d07e7dae1ec2df65dbce854773c
AgentTesla
f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8
AgentTesla
+ 900 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201103-ry3l1w23yn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af
MD5 hash:
128feb2ff433ea2688a0144a7845e0e1
SHA1 hash:
21838e3b8a8410ac5d83dc01086113b172c12301
Link:
https://www.unpac.me/results/056d9bd6-0b63-4388-bb08-7c0a90ccd87d/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/056d9bd6-0b63-4388-bb08-7c0a90ccd87d/
SH256 hash:
24d36953947125741072ffecf243e277b9424cf381ef7b546c94c69506af8ca5
MD5 hash:
53b878f6356894b795bf6959d78bfc3e
SHA1 hash:
9081a1f734419936723f65867a819a1e435a0950
Link:
https://www.unpac.me/results/056d9bd6-0b63-4388-bb08-7c0a90ccd87d/
SH256 hash:
f55937050b25ba1984c6d418242f7e819dddfcf9bbbc91cca5e6a88e779df9c6
MD5 hash:
8d2fa44cbfc85172a5aae15bb71e2764
SHA1 hash:
c45caafce5e04b3d2d087ddb8b789b0600880325
Link:
https://www.unpac.me/results/056d9bd6-0b63-4388-bb08-7c0a90ccd87d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 79ba630bb35ff276206cd138ae4efe01e2929ab38a1cb61e21afc8a0152cc411

AgentTesla

Executable exe 6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/81952/
  
Dropped by
SHA256 79ba630bb35ff276206cd138ae4efe01e2929ab38a1cb61e21afc8a0152cc411

Comments