MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525
SHA3-384 hash: 6a3d30a53b0a307990eb1b069a1662ef4da8b2f6889256c8a3d275ceef2f82327774fb6bc8a1753bde519539871a905b
SHA1 hash: 02b3027c1467b16ce0ef9fc8dc4b65b3aff72d74
MD5 hash: 7c21986ff989bc5d9d26f9a58fc88550
humanhash: foxtrot-sodium-kentucky-arkansas
File name:New order.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:893'952 bytes
First seen:2021-01-25 06:20:35 UTC
Last seen:2021-01-25 07:50:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:/TDgabSe6F5Qo25/qV/qV5x+3fBmzXLETTovwpKAVtL:gm9/qV/qF+3fBmbLETTovwpTVZ
Threatray 2'258 similar samples on MalwareBazaar
TLSH A515241135E0CA9FC93A42B60660DD9C22A45EDEFD00967908BD399F3A2FE4D47D46B3
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New order.PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 06:23:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/945cf197-a5b5-4ce9-acbe-092763210eb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114596/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.8786.27345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/589202
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343617 Sample: New order.PDF.exe Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 12 other signatures 2->59 6 New order.PDF.exe 3 2->6         started        10 kprUEGC.exe 2 2->10         started        12 kprUEGC.exe 3 2->12         started        process3 file4 25 C:\Users\user\...25ew order.PDF.exe.log, ASCII 6->25 dropped 61 Injects a PE file into a foreign processes 6->61 14 New order.PDF.exe 2 5 6->14         started        19 New order.PDF.exe 6->19         started        21 kprUEGC.exe 2 10->21         started        63 Multi AV Scanner detection for dropped file 12->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->65 67 Machine Learning detection for dropped file 12->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->69 23 kprUEGC.exe 2 12->23         started        signatures5 process6 dnsIp7 33 smtp.ph1cool.com 14->33 35 us2.smtp.mailhostbox.com 208.91.199.224, 49748, 49749, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->35 27 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->27 dropped 29 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->29 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file access) 14->41 43 Modifies the hosts file 14->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->45 37 smtp.ph1cool.com 21->37 31 C:\Windows\System32\drivers\etc\hosts, ASCII 21->31 dropped 47 Tries to harvest and steal ftp login credentials 21->47 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Installs a global keyboard hook 21->51 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-25 06:21:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
8 of 46 (17.39%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbxovokwsbpyu72o6axxighju2we7lf5erc72hr2dsyavfargusq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0158b790a1604fc90e7c01c81f7851fb1a86f9e9d01de234b5134b763039707a
AgentTesla
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
43ae34f089374f6293998924525d9e8516c59bf2cd8150a7c01d6c565c85aa10
AgentTesla
5cf8e944ea54195e221343dec2bb3728c5faecc2b55be781b597503a7ae2fd39
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671
AgentTesla
72ad22e7df09e217184e472645352c8bfe28a44afe5fda4659f4082268d33da3
AgentTesla
98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
AgentTesla
+ 2'248 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210125-39de6kd7nx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
9895ba0f2c6c606dd5a62bc6d1897ab37940a52dbd2f3eac2d1e61d26aeb69a2
MD5 hash:
ffe2a1adc919c50cd9d37f27b07de13a
SHA1 hash:
8fe275c9cd3f814ff432d6d99f89c00012095df6
Link:
https://www.unpac.me/results/b5c86ce6-3ac6-4a9f-a3b2-f3d25e2079ea/
SH256 hash:
fe91968f1213cde1419125d003cde5519c5275191c7596b1719f371771f5e009
MD5 hash:
d69a85477395ceb4b795902cc7c2a1a3
SHA1 hash:
86aacdeb97a4587970656f4a07952740030e42e0
Link:
https://www.unpac.me/results/b5c86ce6-3ac6-4a9f-a3b2-f3d25e2079ea/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/b5c86ce6-3ac6-4a9f-a3b2-f3d25e2079ea/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525
MD5 hash:
7c21986ff989bc5d9d26f9a58fc88550
SHA1 hash:
02b3027c1467b16ce0ef9fc8dc4b65b3aff72d74
Link:
https://www.unpac.me/results/b5c86ce6-3ac6-4a9f-a3b2-f3d25e2079ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 747f6dcb5ddae7e0f0b3841962c9a662a915dc712b444519e4009867eb7e293a

AgentTesla

Executable exe 606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 747f6dcb5ddae7e0f0b3841962c9a662a915dc712b444519e4009867eb7e293a
Cape
Cape
https://www.capesandbox.com/analysis/114596/

Comments