MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b3d1c1490d2245c68517ddbc6162dc80b9a63695095e43f51c2fef4df710d11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 8 File information Comments

SHA256 hash:	6b3d1c1490d2245c68517ddbc6162dc80b9a63695095e43f51c2fef4df710d11
SHA3-384 hash:	96670103d624122279eaab2ee25b99d8ea43c99912c1b2851dbc40d92c28ab1a2bdcba84e1f8be5c0e8228b09e5b9957
SHA1 hash:	57f5b98336b4f5a99ab0a26254d6290bc95b4e2f
MD5 hash:	faa5ef3b93cda96aa24f4a17d0da68af
humanhash:	indigo-oxygen-maryland-comet
File name:	6b3d1c1490d2245c68517ddbc6162dc80b9a63695095e43f51c2fef4df710d11
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	706'048 bytes
First seen:	2020-11-10 11:02:33 UTC
Last seen:	2024-07-24 15:27:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:sVuDvimyzt/0pZ4YUIPHJuazFYT6KcmLHxDPun8G6:sVIvixEZ4YJIaxo6888G
Threatray	10'913 similar samples on MalwareBazaar
TLSH	C6E4DFEFE39B95ECDDED9E38D42051D043A4A1C12103EA1ADCDEA408E9E25F0637566F
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b3d1c1490d2245c68517ddbc6162dc80b9a63695095e43f51c2fef4df710d11/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2020-11-10 11:03:51 UTC

AV detection:

28 of 48 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nm6ryfeq2isfy2crpxn4mfrnzafzuy3jkck6ip2ryl7pjx3rbuiq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

09ffd88cbd13cd8439d94e1b593d0d3d358dd5455d39f5b0c2a860095141a250

AgentTesla

1596485ee8331651ad1cf0e3b2bbff49bea4be5f8b1b051e6e520582b73b36f9

AgentTesla

37be898f8c2b0f9dfc4663070ae1ac1fd0f4edc08760d5c40fb18c7353f7f476

AgentTesla

40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559

AgentTesla

47ecae395889d51a3835daa21b154644f1af8f53e03d2118f71850775777b87b

AgentTesla

65f2622026a29f02d0785f3fa3d3ef2a26aff0681acceb61bc72e8ecca5ff07e

AgentTesla

aefa2f5a8448c792183fedf9d025becfb782102b749c0fe3be273975f2dc3b61

AgentTesla

d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e

AgentTesla

e38e6ac839b8009c1c6d467ed4206f912c39a15af7a1fa7ba4a2a854e441fe50

AgentTesla

+ 10'903 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201110-jtlm48n9e2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

6b3d1c1490d2245c68517ddbc6162dc80b9a63695095e43f51c2fef4df710d11

MD5 hash:

faa5ef3b93cda96aa24f4a17d0da68af

SHA1 hash:

57f5b98336b4f5a99ab0a26254d6290bc95b4e2f

Link:

https://www.unpac.me/results/301b2666-affa-43de-bb69-4ed39f5d026b/

SH256 hash:

3d1fe202a5052a62c8a85d4724aa3cb275f50187988d5b6aa391c3b835c4510e

MD5 hash:

77d59b3a0e8ace170280c548e53d0d90

SHA1 hash:

52708f3028bcde20b8407e7d3e168aee49a19731

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/301b2666-affa-43de-bb69-4ed39f5d026b/

Parent samples :

b809a69d10661d2442a6747353cf2a9ad134aef8553967cf7cb9b03fa615ea2f
6b3d1c1490d2245c68517ddbc6162dc80b9a63695095e43f51c2fef4df710d11
497d96cbcbc38fec09a93e46a82a75c0d8ee792375bf46dc7a36765a80fcf536
4fa5431597c322c631983544e8a1c8c3dd23efb59c08b1bf09761653b9b40ab5
9645b2213801b5e7f840621ca3c5c025d90a03dc5bccedbf391d73bddca7145c

SH256 hash:

dcaa05bef752445a2169f6d74e5e17c638168e2e844b8eb1bcf8728f9436817b

MD5 hash:

eddaf05889130d11f582b8631b1025a5

SHA1 hash:

72042a9543826431312adf0e0710d847b8871707

Link:

https://www.unpac.me/results/301b2666-affa-43de-bb69-4ed39f5d026b/

SH256 hash:

b76920a3739ce0c15d789c288a3a7c60505126813499f7b4f7bcc69381795966

MD5 hash:

fdd04d213688021d02f205ff999e4d49

SHA1 hash:

aabcb41469b423b78f594221a8a0e8ed3a102111

Link:

https://www.unpac.me/results/301b2666-affa-43de-bb69-4ed39f5d026b/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/301b2666-affa-43de-bb69-4ed39f5d026b/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample