MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6988a60d042c049bb04da81e5921e7848aa562faccb7ee555a9e324275e5b2dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6988a60d042c049bb04da81e5921e7848aa562faccb7ee555a9e324275e5b2dc
SHA3-384 hash: 86f88eff71ee75e229fa7a1ff71f75302e06a70c7a8054c26206778c2b17f6ee6b9dfaaebc6af845f94cebeb1f970b3a
SHA1 hash: 57c50419dffb12af56f7965bca8268b511b15736
MD5 hash: a8e42e66f9eceb434afce3bdfe05bf87
humanhash: yellow-friend-lemon-florida
File name:PI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:593'408 bytes
First seen:2020-10-09 09:09:19 UTC
Last seen:2020-10-09 18:23:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:QlJDGS1E4DYkW0G1c1ObwNPxXPxZfctbGL3WE3xGejIHlpYX:BSXYkb4c1ObwTct6m0xGjlpa
Threatray 9 similar samples on MalwareBazaar
TLSH 2AC4F0157DE70E56DAFBCABE5ED19C304F2DB0D36532E73EAA8CD1AC18952408C5881E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.hybridgroupco.com:587

Intelligence

File Origin
# of uploads :
4
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69502/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486536
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295712 Sample: PI.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 31 Multi AV Scanner detection for domain / URL 2->31 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 9 other signatures 2->37 7 PI.exe 6 2->7         started        process3 file4 21 C:\Users\user\AppData\...\BronxXneWaD.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp36C9.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\Local\...\PI.exe.log, ASCII 7->25 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Injects a PE file into a foreign processes 7->43 11 PI.exe 4 7->11         started        15 schtasks.exe 1 7->15         started        17 PI.exe 7->17         started        signatures5 process6 dnsIp7 27 hybridgroupco.com 66.70.204.222, 49758, 587 OVHFR Canada 11->27 29 mail.hybridgroupco.com 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 19 conhost.exe 15->19         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6988a60d042c049bb04da81e5921e7848aa562faccb7ee555a9e324275e5b2dc/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 07:32:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngekmdiefqcjxmcnvapfsiphqsfkkyx2zs364vk2tyzee5pfwloa._file
Verdict:
unknown
Similar samples:
2d9767641256c44bceb6d6c684e76d72245750d1174408ef34e5d35185d4cadb
AgentTesla
68894ee0bb21a9d71c6c95fe64fd7e366b2619bc14834ead54543a0eac2f28fc
AgentTesla
6fb6937cf1cdf0d1c89ba807e43754a2d06754cd820992dc0b91cb61540cf547
AgentTesla
7f9ae2230e8288dc9d2be085d10b696542ac35641853f0afc85ca08d48f3c154
AgentTesla
8f1df804a5fc826de1487d95db7e15faede754cd925132f7e920fd712e154208
AgentTesla
982d5516b54a9ca64fa7cf03833f79f4b963504652997cba751cee2b3ff96979
AgentTesla
a041901d7e7a00b59fb1c4a4e1b2cdb7e9acd7c554d0a13412e658cb42cf0d5b
AgentTesla
b494f8418799f094e809de1bbce3970f01ae7f19a0db6c494d25656ae7a04d0a
AgentTesla
c26d4b68739ba791b12255f3d1a390e40950f39bab9b75c4435c121596689eb9
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201009-4dr4kfk7e2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
096517b30e592cca7ed053481ed5afe24f19f8cd2cae86c86ac45a80b51de0f4
MD5 hash:
09f7f6bd864b85c6f8d3a13084c22780
SHA1 hash:
13d6a7ce65940610ff5ea202499c78139813df1d
Link:
https://www.unpac.me/results/94b1959e-64a8-4777-9c3e-8ff92b99db32/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/94b1959e-64a8-4777-9c3e-8ff92b99db32/
SH256 hash:
47d7ef8d51876b2d7387f487a3699d41f359aa2ec09f359fb34304f42a37ecd5
MD5 hash:
65d17a6215adeb0c12ba236c6cff4045
SHA1 hash:
9af3c5d05ead092ba205de97cadab8e23a2c0ec0
Link:
https://www.unpac.me/results/94b1959e-64a8-4777-9c3e-8ff92b99db32/
SH256 hash:
6988a60d042c049bb04da81e5921e7848aa562faccb7ee555a9e324275e5b2dc
MD5 hash:
a8e42e66f9eceb434afce3bdfe05bf87
SHA1 hash:
57c50419dffb12af56f7965bca8268b511b15736
Link:
https://www.unpac.me/results/94b1959e-64a8-4777-9c3e-8ff92b99db32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6988a60d042c049bb04da81e5921e7848aa562faccb7ee555a9e324275e5b2dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6988a60d042c049bb04da81e5921e7848aa562faccb7ee555a9e324275e5b2dc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69502/

Comments