MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b351bd97b35ada715fccd60bcdfd82a836beab4c178c2fcd58c71981c97373a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 9 File information Comments

SHA256 hash:	6b351bd97b35ada715fccd60bcdfd82a836beab4c178c2fcd58c71981c97373a
SHA3-384 hash:	ab34ba66e1f052f7cc8b48ffc0138cd3fca3933b228f3f339ff911e33c7c5634fd7c8e1faa9985adff48ff720694e3fc
SHA1 hash:	9e3bcdd4a46d192ae6ac350d46021e64a6ca5fe1
MD5 hash:	27c0d3ecabffd0051270825f615da6e4
humanhash:	table-stream-delaware-early
File name:	6b351bd97b35ada715fccd60bcdfd82a836beab4c178c2fcd58c71981c97373a
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	752'128 bytes
First seen:	2020-11-11 11:08:16 UTC
Last seen:	2020-11-15 22:50:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:ggqwEHlsnrrsZNQpt8LFcNxmqMf3VY2A1Mangv+wK2OD6eRYJGxGJ45T77bbuiOg:J8O2qQjA1M6pwKhGJGx75A
Threatray	9'639 similar samples on MalwareBazaar
TLSH	79F4E131616EEFC3D73D5BF9806513092FFD292B9120FA9CACC520D225A7B464A24E77
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b351bd97b35ada715fccd60bcdfd82a836beab4c178c2fcd58c71981c97373a/

Threat name:

Win32.Trojan.Tiggre

Status:

Malicious

First seen:

2020-11-09 15:05:41 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nm2rxwl3gww2ofp4zvqlzx6yfkbwx2vuyf4mf7gvrryzqhexg45a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

18f1f0cd31212210131834c74f816f2c7fa78f50019257f714b616dbcb2e2320

AgentTesla

19f27d5a7c6c6804a869bf2ff5dc4d59a3b00c2193184ef6adb58c63d29776fb

AgentTesla

4d999c1660ff34c639225029732ed7aa9b3af03e5b20c054e9310f1f208fb608

AgentTesla

56c026a1b3db5b77e3d01e2ef5f727cae05b34e19fd01055ee1ba374bba3af5f

AgentTesla

87f55f5b616401b8f1e43bd3f56b5d55fa4ca3e6e9c878260702f63020042079

AgentTesla

93d92806cff2c0d375bf2fcc33e9c6ebb1697fefa8f25a7d481a639b8159da2d

AgentTesla

97430f411a93deb9ba7776b9385a519ce69595a3f188c8a483a283f20e8db3c7

AgentTesla

aa731bac3bac456751072d7a2062899e999d6437f085f893f4a5130784e161dc

AgentTesla

e4b48e7ff864393ce7ba79ce14b298a08898bddb2cd233dd0e3ecc3997dd9c3d

AgentTesla

+ 9'629 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201111-g6nkzxp4ss/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

6b351bd97b35ada715fccd60bcdfd82a836beab4c178c2fcd58c71981c97373a

MD5 hash:

27c0d3ecabffd0051270825f615da6e4

SHA1 hash:

9e3bcdd4a46d192ae6ac350d46021e64a6ca5fe1

Link:

https://www.unpac.me/results/055c0431-da96-4181-a6d9-77dea9e1a95d/

SH256 hash:

d54250201624e3a3db786523a622dde75618b71bde5767b8f2b8f4fd324d967d

MD5 hash:

ed0c31770fa30ccd1f5869611630969b

SHA1 hash:

85427cbe3935763ec518878c3050feb3754a24f3

Link:

https://www.unpac.me/results/055c0431-da96-4181-a6d9-77dea9e1a95d/

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/055c0431-da96-4181-a6d9-77dea9e1a95d/

SH256 hash:

af00b564d58bb8cfe11e1addec64b79be8a273bb59fb61a95fe11307e8b002be

MD5 hash:

71c2f5a34c9095eec8ec6209c1328a6c

SHA1 hash:

d729d928432ed50d51a45240b16ac83e0ca2a7a7

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/055c0431-da96-4181-a6d9-77dea9e1a95d/

Parent samples :

498a82ce3b34b5db478f98574a168fa0bc53d389e50463cb0a8b76bb5b4314d5
7aa5b4e9950f3e33225737167cf98216a75cb07ce9811008b4055afa5c3dc7c1
7803ab989c8b8ec421d1fcac8a7f2f4f568a6700674866b43596f9a77e31c141
611424b88bb2a0352e23a4624c68814b745ef1adac8c3777fe11911cea05e67d
6b351bd97b35ada715fccd60bcdfd82a836beab4c178c2fcd58c71981c97373a
96cfb1824ed67f1edf9ae77b11839157b4ff1311c742e37cc89c34b041b1ad01
d201b61e335db27391c4c614e9ff0eb3bbc485cf5aeb4be4a1bf9a797817feaf
74bd4eae20ecbd645b602e13b024aa09ffd427f71e9b9f9a78bbb9fef7718d1a
b6ef61b5ef75d64fa64bac880af715c9f66c8a4a6a1f352e8183e82e91b698c0

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample