MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6906010d796861631e527431fc9ecea28a277307ab374a9641bf716856535b69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6906010d796861631e527431fc9ecea28a277307ab374a9641bf716856535b69
SHA3-384 hash: 2e1628a163cf150865bf094bd2b2315644093b79b03c8535a386de64587f02496d1787f2b2b5acf38e7faa9628a1685c
SHA1 hash: 72d2045ef3b443d8ad83f75bf11190b557b5b593
MD5 hash: cfd98a893dbc815f224d17de8578b868
humanhash: kentucky-april-network-spaghetti
File name:Consignment Details_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'632'192 bytes
First seen:2021-05-05 05:31:42 UTC
Last seen:2021-06-02 18:51:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:zi/sUsMsbsxsEsQs9s/sksGsfs1sM3sqsMsChs1ssstsMsMscsAsosnsusRsQsOP:O7
Threatray 4'467 similar samples on MalwareBazaar
TLSH BFC531882835D5695B58E3BB42D4BD30D90FBCAB04B8A4F776491B2BC704952B03B7F9
Reporter cocaman
Tags:exe TNT

Intelligence

File Origin
# of uploads :
5
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/149894/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.703.18314.19205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Sending a UDP request
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711460
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6906010d796861631e527431fc9ecea28a277307ab374a9641bf716856535b69/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 00:42:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nedacdlznbqwghssoqy7zhwoukfco4yhvm3uvfsbx5ywqvstlnuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04c9ccc533b33d9eaa98a4f82f32bcd142c1228492d195ab5335c094643b7a7c
AgentTesla
1b467c02c56a9130e3fb9e62e0ee62aa6b950845c9858f95656e659b814699c3
AgentTesla
2e525c09344f83f1f77d92e492a3fe75158e5424dcc22be92a45870168275879
AgentTesla
4680676a42011fbee774340878a3909c14e8875ec46142ffa4cd2f3f97e50671
AgentTesla
566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
AgentTesla
74c2de98613605ab363adbe378405c65f3cfe408dbd59d6b01c7bd69f0224cb8
AgentTesla
7b4b43d22be88ed3b2054ef7090ebb7b44ecc03dffa6c32e578002c9a12cbea8
AgentTesla
8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf
AgentTesla
a997db748e940751ad67b16d4d58b0a4684c4106dd751f52df9d49bd67b9e9ea
AgentTesla
b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5
AgentTesla
+ 4'457 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210505-cwerm71cqn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
76a10b97eb41b6b4bca841b35c3b999ffc2a0841ca21c46013ced6ff906cb30b
MD5 hash:
6cb3e20327154b9f550b15aa16dadcc1
SHA1 hash:
bb2408c1bf89c5bc9b542b0f02f775997c5508a8
Link:
https://www.unpac.me/results/8610b0d8-db61-405b-9538-119659b23ea9/
SH256 hash:
c2abe5309d6a975475aa1267809b7e310b3589edadc180d66580b4943100d008
MD5 hash:
02f8d137c9ade5fb0ee7660b5ba8dfb3
SHA1 hash:
271017310b7bda711a67ebc458f975050f260b5a
Link:
https://www.unpac.me/results/8610b0d8-db61-405b-9538-119659b23ea9/
SH256 hash:
6906010d796861631e527431fc9ecea28a277307ab374a9641bf716856535b69
MD5 hash:
cfd98a893dbc815f224d17de8578b868
SHA1 hash:
72d2045ef3b443d8ad83f75bf11190b557b5b593
Link:
https://www.unpac.me/results/8610b0d8-db61-405b-9538-119659b23ea9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6906010d796861631e527431fc9ecea28a277307ab374a9641bf716856535b69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4b58992b26f47023772b4651fb523236b890894ac1fbafa7832ce0937b5fcfb0

AgentTesla

Executable exe 6906010d796861631e527431fc9ecea28a277307ab374a9641bf716856535b69

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4b58992b26f47023772b4651fb523236b890894ac1fbafa7832ce0937b5fcfb0
Cape
Cape
https://www.capesandbox.com/analysis/149894/

Comments