MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6147c0c4f1176427ee8cd49355313608c1b18d0a8080dc53319a7b3eb2f83b02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6147c0c4f1176427ee8cd49355313608c1b18d0a8080dc53319a7b3eb2f83b02
SHA3-384 hash: 9dbd67861e27041d031e515d9b464d0d3374df7255ff5aa2fc1c748f1415c94344211ab39b6a3809e4b2d9722bdd703a
SHA1 hash: 6c0d0cb777540273b9d605479785872ac2d33023
MD5 hash: 3751df6d2df34fc230df34531d41f841
humanhash: may-magazine-leopard-nitrogen
File name:Order Confirmation INVOICE NO. FSE2502020OU & FSE2552020OU.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:711'168 bytes
First seen:2020-10-16 12:54:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:akzdK2UuUzP7SqesnoP/WE5ZgnoxJdsXy73CNqVNWvHbcCLkL7Kg:aVev/WrQVeWUG
Threatray 44 similar samples on MalwareBazaar
TLSH C0E4203438BA50D9F0739E768ED0B196FE9BBA222505546ED061D3C20623B83DF8D5BD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Partner Pak-Vaidas Zaveckas <info@kulmanorders.com>
Reply-To: Partner Pak-Vaidas Zaveckas <logspass007@gmail.com>
Subject: Order Confirmation INVOICE NO. FSE/250/2020/OU & FSE/255/2020/OU
Attachment: Order Confirmation INVOICE NO. FSE2502020OU FSE2552020OU.iso (contains "Order Confirmation INVOICE NO. FSE2502020OU & FSE2552020OU.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72020/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/493611
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299259 Sample: Order Confirmation INVOICE ... Startdate: 16/10/2020 Architecture: WINDOWS Score: 92 23 Multi AV Scanner detection for dropped file 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected AgentTesla 2->27 29 7 other signatures 2->29 7 Order Confirmation INVOICE NO. FSE2502020OU & FSE2552020OU.exe 1 5 2->7         started        11 reedit4.exe 2 2->11         started        13 reedit4.exe 2->13         started        process3 file4 19 C:\Users\user\AppData\Roaming\...\reedit4.exe, PE32 7->19 dropped 21 C:\Users\user\...\reedit4.exe:Zone.Identifier, ASCII 7->21 dropped 31 Adds a directory exclusion to Windows Defender 7->31 15 powershell.exe 25 7->15         started        signatures5 process6 process7 17 conhost.exe 15->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6147c0c4f1176427ee8cd49355313608c1b18d0a8080dc53319a7b3eb2f83b02/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 12:56:11 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfd4brhrc5scp3um2sjvkmjwbda3ddikqcanyuzrtj5t5mxyhmba._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
123765ca93c6c71f123934f0a1ea08487449d2bfab58f47f9c0a2d4cc645021b
AgentTesla
1e9ff9549343dcb17dcb137508657a94e5503579e0e0741443b27c732b62fa5c
AgentTesla
2149d167c87cf15f48aa1852adcf96c9a62287a26496ff33892ecc67500d3be2
AgentTesla
55bca504c5ff798d6c5d4431eff4dda8df6ebfca0db4d86b0f1bf770ff550a0f
AgentTesla
6ea011e6a1836355936582525e455b151057c89b7f1780ab52c6f5c4cb19ddad
AgentTesla
9b915d2e5f70b859d8c2eafc94bd593d3e53255444a5b4b651dfb9c2523d83d7
AgentTesla
b8ad7398bf812d51b21f9ec51b8ffba7d3830dac0a949f09acea087066f4368b
AgentTesla
c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75
AgentTesla
f4c25b70ae9ea0c7f4a7f028011167b7154ded11a0b8e90b1c7570ba9af1f2f2
AgentTesla
fa655773a5d44061edbaeedb2b3e31597bcefe870c47fdefdb39ea0bb072d31d
AgentTesla
+ 34 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201016-pqljdtpvds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6147c0c4f1176427ee8cd49355313608c1b18d0a8080dc53319a7b3eb2f83b02
MD5 hash:
3751df6d2df34fc230df34531d41f841
SHA1 hash:
6c0d0cb777540273b9d605479785872ac2d33023
Link:
https://www.unpac.me/results/e548a059-fb2f-45aa-b88f-2d030b045d3d/
SH256 hash:
45ebba606bd1f973356400c12130c218de9ec6574452ea5f1b560af54ae6cee4
MD5 hash:
c6a78c9451495b966538cadfe9e882af
SHA1 hash:
40adc0222496f8a73c827d7aeb9f0615123990fc
Link:
https://www.unpac.me/results/e548a059-fb2f-45aa-b88f-2d030b045d3d/
SH256 hash:
6cba41b7e6959fcb340f6f089557442bcba6e001fc26c2e42b2697a2c16de32f
MD5 hash:
6a4a59c39ec7b12ea3ec65232c509911
SHA1 hash:
6b25d56e376d3124133f3becf41b3797064e08e6
Link:
https://www.unpac.me/results/e548a059-fb2f-45aa-b88f-2d030b045d3d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6147c0c4f1176427ee8cd49355313608c1b18d0a8080dc53319a7b3eb2f83b02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 40e6a2be0636ff395c2c3f41c7b20cb675aab1e4a4ec90e4f650487fec77c6a5

AgentTesla

Executable exe 6147c0c4f1176427ee8cd49355313608c1b18d0a8080dc53319a7b3eb2f83b02

(this sample)

  
Dropped by
MD5 68f19ad24cbb225d7ca6f41dce5305c7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72020/
  
Dropped by
SHA256 40e6a2be0636ff395c2c3f41c7b20cb675aab1e4a4ec90e4f650487fec77c6a5

Comments