MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a86f9f00d24639b2ddd8103262c4b3fdd6248f2104a88bc230f448f64892672. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a86f9f00d24639b2ddd8103262c4b3fdd6248f2104a88bc230f448f64892672
SHA3-384 hash: 4bc0c12c85c3aca8af7f7ced05fcf367c6c653beb45f17df7584b643b026b41ebf4f093d98b4dd9d46450d6e8205944f
SHA1 hash: 0958746537e74110a415c48490f34e7967c9c24a
MD5 hash: 545567db7d4f30a32c6f56653c79b3d0
humanhash: don-aspen-johnny-hot
File name:SecuriteInfo.com.W32.MSIL_Kryptik.CYQ.genEldorado.15349.3218
Download: download sample
Signature AgentTesla
Create hunting rule
File size:982'528 bytes
First seen:2021-05-12 12:00:03 UTC
Last seen:2021-05-12 13:02:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:gugfx2UwCz/5blu3UsdZWqUrYEQlEur5Y4hIrv:gusxP5b81HUNQlEuO
Threatray 1'627 similar samples on MalwareBazaar
TLSH BB25128C321872DFC497D9769E958C705B61BCAB072B46432823659DCAAC88FDF052F7
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155279/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.CYQ.genEldorado.15349.3218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779815
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a86f9f00d24639b2ddd8103262c4b3fdd6248f2104a88bc230f448f64892672/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 12:00:18 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkdpt4anerrzwlo5qebsmlclh7oweshscbfirpbdb5ci6zejezza._file
Verdict:
unknown
Similar samples:
03dfe6cedcfce8418e60ff61cd7a730c9ec52c383b2e5ccad5c67d0b1168146d
AgentTesla
12c0aac78e35536d75940c301e62cb8cb0388f4e43cf9f1925e02a66cbe2a319
AgentTesla
1b7544a23889922c4262251462e81dc2c6d481f1b6c5164a82e4ea5b2b31ff91
AgentTesla
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
AgentTesla
33a1631c7b9063a39f15b2fde90f874f5657417d7a265fa03b6277b9c907ca33
AgentTesla
5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9
AgentTesla
6a5e6d882ca54d4bba185f1b881b14795e8148dabeadbaf0f2035fcb2f678160
AgentTesla
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
AgentTesla
d00608bb50125705c3e214e84ee2979cb7b982bc6e3ea64c0eed1ae9ad2baa87
AgentTesla
ff05b5ddbc9d78b2f4507e9e2a16d63cc007584d9cc5e641b41a4a73d96d0c02
AgentTesla
+ 1'617 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210512-49vz6labp2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/6a86f9f00d24639b2ddd8103262c4b3fdd6248f2104a88bc230f448f64892672

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/155279/

Comments