MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6247e523ab6dc7d791fbf3760047f445d88b85632077090d7e346e9c6c0c76ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	6247e523ab6dc7d791fbf3760047f445d88b85632077090d7e346e9c6c0c76ae
SHA3-384 hash:	cd73d7ddf11f506d5fe740e3201a147ea2804fca09497416fa4f16ed8b2651dfe9b8753747585dd349de122f3691ec1a
SHA1 hash:	bde9dc287124543f2230b3656007d176db4328df
MD5 hash:	5fbe38bf04c58d743cabf42d21699d80
humanhash:	double-bluebird-undress-ack
File name:	AD1-2001087 PL.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'017'344 bytes
First seen:	2020-08-13 03:23:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d2c5bb9650248d566011b3a45aa89b6f (2 x HawkEye, 2 x AgentTesla, 1 x MassLogger)
ssdeep	24576:3yrAsCU/TdrqBRzSwEJsYJkyBfdHPW4zk:3y6e5HyCk
Threatray	10'851 similar samples on MalwareBazaar
TLSH	8A257D21BDD1483ED1F315389F7F9EF45C2A7ED12D24A50A2AE84C0F7A3924D392529E
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/44710/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Variant.Zusy.310751.12017.4306.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/424788

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6247e523ab6dc7d791fbf3760047f445d88b85632077090d7e346e9c6c0c76ae/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2020-08-07 19:10:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mjd6ki5lnxd5pep36n3aar7uixmixbldeb3qsdl6grxjy3amo2xa._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

0d6437a1e212ba6c8b651098ae5863a45b1e81d201d3722bd52e0c6559898db8

AgentTesla

1042eea9861e1ac601f162a2ad3da77a4ee701eb9877cdc60d78cf88bfbc2a58

AgentTesla

1467c56bab773ed3ca2cbfbbdd1334bd41a8303e2261112cbab3fc37c518f5dd

AgentTesla

561e958f45a2dd0447ee42d6af6907cc18701dfa6c7c68b3032fe05156ef22ce

AgentTesla

58ead128df62a83e25018f9688b8f5718104158b7246c5c2a5ab53cd1ce975b4

AgentTesla

97da470b7850ea86ca6b67e95f084949eb17d89d440a5739d72221a5ed0773b8

AgentTesla

a065ba2e4db5ebb1459d554c4f9301cb770ff863b2edb43a0dbd3405d186198e

AgentTesla

c8613cbe02f1e23ab87fcce103efa89cc8da78705c42ca373fa45f3d213b9f5a

AgentTesla

ea4d5083df178233f6c30b20102e80899c37694f0d4a2d23cbd40b5d739fbcaf

AgentTesla

+ 10'841 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200813-qzrs357ace/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6247e523ab6dc7d791fbf3760047f445d88b85632077090d7e346e9c6c0c76ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar