MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6626efff01b34eef4f69d8357052b70a36dd8abac62bad192397d335ff9247dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6626efff01b34eef4f69d8357052b70a36dd8abac62bad192397d335ff9247dd
SHA3-384 hash: bc6d8796416193833bfef4cd94e77282d67314f166c6bb83a6db71c8545c980f06eec81da40cead365b757337f1e56ff
SHA1 hash: 66f5e74c220a39fdb1f2b721265ca5a87b7d05bb
MD5 hash: f1afd73e0499e98624e4c4a426319e07
humanhash: fifteen-glucose-mango-orange
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:374'272 bytes
First seen:2020-07-15 21:25:38 UTC
Last seen:2020-07-16 08:02:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:mNKo3aM952TJVVaryyPGnr1BMj2mmTesmF5hb6NnZvydWlHJCIKn:eVbaVVSo1BMj2mxs47qnZv5HJC5
Threatray 10'913 similar samples on MalwareBazaar
TLSH 888401227AD4D919D27E1BBBCECF501447F8BD467222CB0DFD9A228E19527F244421EB
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26243/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34178001.23221.18806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6626efff01b34eef4f69d8357052b70a36dd8abac62bad192397d335ff9247dd/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 16:20:52 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=myto77ybwnho6t3j3a2xauvxbi3n3cv2yyv22gjds7jtl74si7oq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
254c1b8ff86ebe8a88aacb3172ea4c05289dc129d3364189bcdfd097e5f5ef6f
AgentTesla
4163f850032d58f8df3a47be1173ff7ff5d89c989512bd08979e724261994345
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
7013e2ac13e42bbee07bb06c5f9c2e4b625a6599a64bccf0e844ba2e995e0737
AgentTesla
a0b5afcab56631d737decbb0378a3aa681f0d053fba8b829a039b452c0be79ed
AgentTesla
adbdc4cbb6b8805700fcfd618e763872f6960f5989a62c9cdffc961d9b0f3e39
AgentTesla
b82d04c79bfd870dd7024db85a5c3c60827776af6bfd6b73306ceebf72150ba4
AgentTesla
bc36d20a9c2283a9f9e01a995af6fde7824a0d18469983d0a6fb3899c6516b47
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d
AgentTesla
+ 10'903 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200715-bwe13g22r6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a913e37764443cac6061a325e794f1d56df0c62750380d5b979497ebffa7fdbd

AgentTesla

Executable exe 6626efff01b34eef4f69d8357052b70a36dd8abac62bad192397d335ff9247dd

(this sample)

  
Dropped by
MD5 a965e19c581b03678e24c18f33226023
  
Dropped by
SHA256 a913e37764443cac6061a325e794f1d56df0c62750380d5b979497ebffa7fdbd
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26243/

Comments