MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6218038bf6ea86f19129bdc673cdc1ab6f58b27b1a61a8438aaacbcf7eea0e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6218038bf6ea86f19129bdc673cdc1ab6f58b27b1a61a8438aaacbcf7eea0e29
SHA3-384 hash: f09915325c455c335b63fea00af9462691c40455287e623199b27e8fb93811a45b8bfff34e3730b512e660717db6726c
SHA1 hash: 8c5d3a445c7717e40e6168087bc3eff2cec97d4b
MD5 hash: b917f5efe055c07a7b37fa717b1fd705
humanhash: network-blossom-jupiter-nebraska
File name:payment slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:621'056 bytes
First seen:2020-10-20 06:26:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:WPbBX87+hmccFIg+a8HGD0bwE8vvZlNG6ixGWu2pbv8oFSOp:giYBcQHLbZevRNRubv8o7
Threatray 649 similar samples on MalwareBazaar
TLSH C1D4DEBF256C6B53C27C00BE4214800E0DECF9165E72FE7AEDEA70A966D05C91EC3661
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cpshared11.tedata.net
Sending IP: 213.158.187.42
From: Nejat <nejat@ewfcpl.com>
Subject: NEW PAYMENT RECEIVED..
Attachment: payment slip.zip (contains "payment slip.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73245/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen9.56514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497088
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300690 Sample: payment slip.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for dropped file 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 10 other signatures 2->47 7 payment slip.exe 1 7 2->7         started        process3 file4 33 C:\Users\user\AppData\Roaming\ezuZWzJ.exe, PE32 7->33 dropped 35 C:\Users\user\...\ezuZWzJ.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpDD6A.tmp, XML 7->37 dropped 39 C:\Users\user\...\payment slip.exe.log, ASCII 7->39 dropped 49 Injects a PE file into a foreign processes 7->49 11 powershell.exe 21 7->11         started        13 powershell.exe 25 7->13         started        15 powershell.exe 7->15         started        17 12 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 8 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6218038bf6ea86f19129bdc673cdc1ab6f58b27b1a61a8438aaacbcf7eea0e29/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 18:31:50 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mimahc7w5kdpdejjxxdhhtobvnxvrmt3djq2qq4kvlf467xkbyuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3
AgentTesla
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
AgentTesla
3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337
AgentTesla
4107ae832e2a94dd12c11823472aba013b3d016efbc357526152a2e0d2d3ca88
AgentTesla
4bdce1c0f19e06fe3011983fd12202ca87b82016cf29422554ec1687e0ff377f
AgentTesla
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
AgentTesla
6b5ade8c20a7aa1d53ae922e4e473b254a81e61055296736ab0d82f8a743203d
AgentTesla
c267dcca6efe1260863d0b0a8c6358df04adc0b0de700674eaf8de2aafacf3fa
AgentTesla
c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff
AgentTesla
c951087e608e78b4ba80b230c285b8052ac7b64ccc244a612d6ec5d1ea3c65f9
AgentTesla
+ 639 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201020-3y3j2n3rz6/
Unpacked files
SH256 hash:
6218038bf6ea86f19129bdc673cdc1ab6f58b27b1a61a8438aaacbcf7eea0e29
MD5 hash:
b917f5efe055c07a7b37fa717b1fd705
SHA1 hash:
8c5d3a445c7717e40e6168087bc3eff2cec97d4b
Link:
https://www.unpac.me/results/d0be7e6d-75e5-4842-9339-e72c1adbba17/
SH256 hash:
9432fe499dbafa44acf7db0207608d87bdcc083fde9186112228861ff27d9502
MD5 hash:
35c21813abc904d505d6f49fee6888a1
SHA1 hash:
1c5136608807707a8226eaad130bf867c37cc1a1
Link:
https://www.unpac.me/results/d0be7e6d-75e5-4842-9339-e72c1adbba17/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/d0be7e6d-75e5-4842-9339-e72c1adbba17/
SH256 hash:
850e15916b57482cc66f359214927955ccd572d1d4dccedd7d2ce942499b1d62
MD5 hash:
56402aed52d4dcccca3b19969e9978f6
SHA1 hash:
a365e11fa099a18488b228324eb9eb4418679512
Link:
https://www.unpac.me/results/d0be7e6d-75e5-4842-9339-e72c1adbba17/
SH256 hash:
3259a65c969f82f031b8cc93281d0b70c5b3e76679fdd2612312fed74e25281d
MD5 hash:
b03ae6e58b3894442bfccd9f204b0f3f
SHA1 hash:
f156eb565d645fcec1ba3126b1b367b12c1a5730
Link:
https://www.unpac.me/results/d0be7e6d-75e5-4842-9339-e72c1adbba17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6218038bf6ea86f19129bdc673cdc1ab6f58b27b1a61a8438aaacbcf7eea0e29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fb88bee15ca62afd52e1b6dcb6c4b7a02f36472aeef61efe63b6d1d804ff6007

AgentTesla

Executable exe 6218038bf6ea86f19129bdc673cdc1ab6f58b27b1a61a8438aaacbcf7eea0e29

(this sample)

  
Dropped by
MD5 c19cc003d2ed96f2570061e23558011d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73245/
  
Dropped by
SHA256 fb88bee15ca62afd52e1b6dcb6c4b7a02f36472aeef61efe63b6d1d804ff6007

Comments