MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 611a2dfac3989c66b10815fe8d6a81d92554e0ce47ec3d5b6bdd7c91c4163a7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	611a2dfac3989c66b10815fe8d6a81d92554e0ce47ec3d5b6bdd7c91c4163a7e
SHA3-384 hash:	f99688bec744c85304c6a53443f7a648e917b3b06551f77ae6a72f4ddaaab897a8b51ae94de2cedd3815590dc51b2b3b
SHA1 hash:	4f6e0c208248b4d685e8279fcfed260880f1bc86
MD5 hash:	24f160ce1d59748e942f95b3283bcfcc
humanhash:	august-victor-montana-sodium
File name:	Hengsu_H213800.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	156'672 bytes
First seen:	2021-03-09 15:43:50 UTC
Last seen:	2021-03-09 17:45:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	768:IGYWBnQIDIqiqzgpMFTY1QzbxWJDzp5Yv7d1YUjn1115otkRur9Ebrok:9PQqITnMFTjNpOUjn111bH
Threatray	3'136 similar samples on MalwareBazaar
TLSH	F8E33F08B2D53DB7F3572D72DC527A02051D2A40D9A9AB0DB2CDF31A69F21829DEDCB4
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: mail5.maozaoo.me
Sending IP: 62.173.141.16
From: Julia <sales1@hengsugrup.com>
Subject: Hengsu order H219300
Attachment: Hengsu_H213800.z (contains "Hengsu_H213800.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Hengsu_H213800.exe

Verdict:

Malicious activity

Analysis date:

2021-03-09 17:08:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bcb410c9-f1fc-41c8-8566-e647293a0e7b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/123297/

Detection(s):

SecuriteInfo.com.Artemis24F160CE1D59.7301.7913.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending an HTTP GET request

Creating a file

Moving a recently created file

Sending a UDP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/633118

Signature

Binary contains a suspicious time stamp

Found malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-09 15:44:09 UTC

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=menc36wdtcognmiicx7i22ub3esvjygoi7wd2w3l3v6jdrawhj7a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

181929c58e5ce4833a2847c9ff077dd87e8c0128793217d7e690311087ecc80a

AgentTesla

492a4a339324e1bb41f6d4d74b43c8bd886fed3f808532e599a49a3f220d1878

AgentTesla

4ee357dd7681ca5f80acaeb7d55df4432de5d370c73e6bb887e3461b6ed537f8

AgentTesla

747ee0971e16540fa80072cdcc9e28a2f3fca2303303920c802219ea64c5bef2

AgentTesla

a03e120f219832ce89401ddfe77837c3710b505e5480842bf298704b3cc38085

AgentTesla

a3cc80048c1f95c663ef838ccfa3effa8043b16ca227b4bda377d0da91144619

AgentTesla

dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2

AgentTesla

e769369f1fd04a2fdb3976c69cbaaefee66cee1f54f523d7eab4712ce764f73f

AgentTesla

eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06

AgentTesla

+ 3'126 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210309-sb1vwqx876/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

611a2dfac3989c66b10815fe8d6a81d92554e0ce47ec3d5b6bdd7c91c4163a7e

MD5 hash:

24f160ce1d59748e942f95b3283bcfcc

SHA1 hash:

4f6e0c208248b4d685e8279fcfed260880f1bc86

Link:

https://www.unpac.me/results/fa9e9cb6-5e87-446f-a884-f858e74455f1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/611a2dfac3989c66b10815fe8d6a81d92554e0ce47ec3d5b6bdd7c91c4163a7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time