MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6413bfe11d962866d306007489ae88c102a5550ef22f1a0ae69231d1a04964be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	6413bfe11d962866d306007489ae88c102a5550ef22f1a0ae69231d1a04964be
SHA3-384 hash:	0b64be4c7c51aeb952b3209f6ada7b1ea03fc529dde46e2ee879280337937500bc48733c3db61f5bbb2d19a6e9307c3c
SHA1 hash:	c09cfcdaa5facecfbe79d21c84407049acc1cd06
MD5 hash:	05f8396a27e04690c1454dce0496d0f0
humanhash:	vermont-south-delaware-oregon
File name:	45kmts cement loading in Vesssel.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	423'424 bytes
First seen:	2021-06-07 05:11:28 UTC
Last seen:	2021-06-07 06:21:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:tumlPbnj1FXb/pMnSWqx4GIR6v271fgYn+3FiyGx/CNU0s4B35BEZygGttk8:ttDpFmlqaGILRniFidANUreJBuGbk
Threatray	5'846 similar samples on MalwareBazaar
TLSH	569401036538584AF28910B7E393589567E11D612BB11F873D1EB063B777B3DAA23B2C
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
smtp.boydsteamships.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

45kmts cement loading in Vesssel.exe

Verdict:

No threats detected

Analysis date:

2021-06-07 05:15:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bd96d7ad-a589-4e69-ab4b-02f0f095ed71

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/164801/

Detection(s):

SecuriteInfo.com.Artemis05F8396A27E0.1856.3460.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/797753

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6413bfe11d962866d306007489ae88c102a5550ef22f1a0ae69231d1a04964be/

Threat name:

ByteCode-MSIL.Worm.LovGate

Status:

Malicious

First seen:

2021-06-07 04:53:12 UTC

AV detection:

6 of 47 (12.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mqj37yi5syugnuygab2itluiyebkkvio6ixrucxgsiy5dicjms7a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60

AgentTesla

21bc6e657606c08dca9703d2149640fa9738c460c8d71a65b8913b5c7a7ae0f4

AgentTesla

337a895245dcdbe522c4320dbe1dfd62e346aecad8246f9b895a5460211865b0

AgentTesla

360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca

AgentTesla

4a02a5be4110a5eac3e639deaecb4f134dc1788a4623b1d6a92eea75cdf6f31e

AgentTesla

517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c

AgentTesla

87178907c9c47a383a2a08a30481dbc5345b6c85c48142a855900d9840e6b6da

AgentTesla

a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25

AgentTesla

dea2e88e71d3b38500aca694a9ba1f476d8db14e5389a2cf70b23cad51eb33c9

AgentTesla

+ 5'836 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210607-gen5g8kkze/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

Nirsoft

AgentTesla

Unpacked files

SH256 hash:

375381022b8eeb17bbfb9d1bde6f5288bb8cadfd6c9cba97f8fa615dd45241e5

MD5 hash:

26352572202bcd481578204545b415db

SHA1 hash:

646a809917b8846bb2ae200968289a2965c93641

Link:

https://www.unpac.me/results/c38a6c29-b655-48d3-9b93-7c532815f3dc/

SH256 hash:

bf84cadda9e6e8cfac85e18d273088bfc26a227918b5dd15eb1f02fb2517f423

MD5 hash:

ed5d17abb3c6ad64df7e0bf8dc22b56d

SHA1 hash:

b04a126bf2920bda9d8ed006fc5715415659333c

Link:

https://www.unpac.me/results/c38a6c29-b655-48d3-9b93-7c532815f3dc/

SH256 hash:

a13fad1c1102dd0debfeb0d64d9bbe726f65f51e43d6de92e98623b5c72c20db

MD5 hash:

903f19267a05352ff6dc21b6a3d9d613

SHA1 hash:

7a100f972e0a5205d681bfea463dbb6fc5b36f60

Link:

https://www.unpac.me/results/c38a6c29-b655-48d3-9b93-7c532815f3dc/

SH256 hash:

0d08a83ab4541575838fb4b627a3d8152aad877c85703892bf1be76dbeab2d17

MD5 hash:

ba2bcd7d98170c68515fd86c5b51b829

SHA1 hash:

00812df6fe9e989fd48e52a500a4409c79d58f0f

Link:

https://www.unpac.me/results/c38a6c29-b655-48d3-9b93-7c532815f3dc/

SH256 hash:

6413bfe11d962866d306007489ae88c102a5550ef22f1a0ae69231d1a04964be

MD5 hash:

05f8396a27e04690c1454dce0496d0f0

SHA1 hash:

c09cfcdaa5facecfbe79d21c84407049acc1cd06

Link:

https://www.unpac.me/results/c38a6c29-b655-48d3-9b93-7c532815f3dc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6413bfe11d962866d306007489ae88c102a5550ef22f1a0ae69231d1a04964be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/164801/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample