MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6400a7dde7bc06a67fb024815767d03b203a608e9e976c998ddd4d10fab34667. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	6400a7dde7bc06a67fb024815767d03b203a608e9e976c998ddd4d10fab34667
SHA3-384 hash:	0465e223e1b1718bafe0a9291de6b46c791b5020c085b353a493732ef4a2c4c01ae5b93f6ecf7adbf6ee9e4cec9b451f
SHA1 hash:	96344049266577fbc4dfa635ac60215a5ecc1e3e
MD5 hash:	69ee1eb5577df087d89472031d5f0149
humanhash:	uncle-pluto-arizona-ink
File name:	PI 056222.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	949'248 bytes
First seen:	2020-09-16 05:54:35 UTC
Last seen:	2020-09-16 06:45:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:F0Z6bbBasXuqXfgMLvAnyceXJCtexRLZ6bbBasXuqXfgMLvAnyceXJCtexR5kBo:GZgBDAyVXJpZgBDAyVXJwBo
Threatray	32 similar samples on MalwareBazaar
TLSH	B215124476F81F11D6F94BF114B870404BF57CBAA9D2E36E9CA4B0EBA5B1F0485A0E63
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61499/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.414.11064.7734.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/467483

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6400a7dde7bc06a67fb024815767d03b203a608e9e976c998ddd4d10fab34667/

Threat name:

ByteCode-MSIL.Spyware.NanoBot

Status:

Malicious

First seen:

2020-09-16 05:56:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mqakpxphxqdkm75qesavoz6qhmqduyeot2lwzgmn3vgrb6vtiztq._file

Verdict:

suspicious

AgentTesla

206aab7f55e604472c897665bd209d01da117dda02f7b15ad5769fb9839381ce

AgentTesla

33c726715e4918afc273ac194038d0bafc1bea5b9429fc8798ed8e16eec9140b

AgentTesla

4eae92b89bf82739fa92cedba39f0203f312aca7a50c393c7e90d191a4acf01a

AgentTesla

7b4a3076004fb5f7f9b88f3e0d6bd24caa597393bbfa614c2d9f6e028846a957

AgentTesla

b562e8e268318a67795e451cb3f4658aaf8ac7698eaed3fc9efe939aff882bee

AgentTesla

b9ef185d3f879ecb2a755aef91f48ac6de736185c1f16693afe21dabc70240b9

AgentTesla

be0c4ead0ff1af339d06306edb57854a0c5bc77fc46ad963b53f76a3747aed25

AgentTesla

cc4bdca8feec2bd7736eb6edb0b17769815bb174d1dcb11cb652952a760f1a67

AgentTesla

dde5198a36a325023e0381c7102067145700653585666a5dcbd5e1c4362d35d8

AgentTesla

+ 22 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200916-zgnv5v1cjs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/6400a7dde7bc06a67fb024815767d03b203a608e9e976c998ddd4d10fab34667

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz fecbed1f8b09c657d48b1f6c627bfdc2aca3573769337b5f3bf83ba6004cce92

AgentTesla

exe 6400a7dde7bc06a67fb024815767d03b203a608e9e976c998ddd4d10fab34667

(this sample)

Delivery method

Other

Dropped by

SHA256 fecbed1f8b09c657d48b1f6c627bfdc2aca3573769337b5f3bf83ba6004cce92

Cape

https://www.capesandbox.com/analysis/61499/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample