MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b4d7ac31a05055268f04ba4a727a23c12e25892aa8ff5896b28d21ab820aa55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b4d7ac31a05055268f04ba4a727a23c12e25892aa8ff5896b28d21ab820aa55
SHA3-384 hash: 8d41674e5bc8bc627f8d9304dcf76c7d875f095b685119d2757f8f0bb96de0e22d9650dc68a0a6aca020bd1a38b93d46
SHA1 hash: 4490233d019bf790417d270b2170fb39eb365da2
MD5 hash: 5fd4d416571ca588eb725557cede22f6
humanhash: sweet-jersey-india-vermont
File name:scan copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:740'864 bytes
First seen:2020-06-02 10:40:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bea360bfb27d8eea8cfadfbf8d4f992d (8 x AgentTesla, 5 x Loki, 1 x NanoCore)
ssdeep 12288:OP3Ap0AcJKfs3RrAIaNq4uoLGv/fTALjyH1Gg1hkXG4dLIbO1ehbP:kgKKsmIaznKHfsLsPUXG4dLIbO1O
Threatray 11'639 similar samples on MalwareBazaar
TLSH E1F49E22E2A07432C2631E7D6C5B77785C3ABF30696469866BEDCD4C5E3D3813926387
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: fwd-out.cmp.livemail.co.uk
Sending IP: 213.171.216.210
From: Purchase Manager <akbarali@jksugarmills.com>
Subject: Re: Purchase Order
Attachment: scan copy.rar (contains "scan copy.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 13:24:51 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nngxvqy2aucve2hqjoskoj5chqjoewesvkh7lcllfdjbvobavjkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
01623a798b7efb749c3409651a85050b58327c7dbe59740f79dac9b78ae24c9b
AgentTesla
120d96195361d6479ef060e244d7337939541c59b434d329103627f35d65f697
AgentTesla
33fefd2ae3ff75bcae6718f2abbc99bc7ca047a4543c5420883eb39e1128e9e5
AgentTesla
5841cc8f1da027df430a7b98fd52449ca345cc9461803168489ded449439b9e4
AgentTesla
a9d7b84cfc7fa078466ceade8534942fb80b0acd25ba3f8b848dfc12dc1fae21
AgentTesla
cd4ee674aa9d15d9b3ea4786f008b850340a14db344d5ba7ddddd0ce734fb3fa
AgentTesla
e5d0489c5b615585c49b6389f66c7f9e3694078e7648272db4632affcc5457be
AgentTesla
edfcf01c73ca6335d2040ac54b4d1513a4bb1ae7756e2ead34ddb6b03fb044f7
AgentTesla
f02f1aa81359a40dc5654db55fe211c8dff8c88a790d10089fcbca1840a84c3a
AgentTesla
f3232a34ddf3d75e57216467b754d135204fddc84a1755d694aef2c4a3b599e5
AgentTesla
+ 11'629 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-zgvy33jnye/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 592861ac6dc5549471a15f391530ed3dde7b41cc0eed8601851380f94706b4f8

AgentTesla

Executable exe 6b4d7ac31a05055268f04ba4a727a23c12e25892aa8ff5896b28d21ab820aa55

(this sample)

  
Dropped by
MD5 25f2978a00769716282bb9744de26ddb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 592861ac6dc5549471a15f391530ed3dde7b41cc0eed8601851380f94706b4f8

Comments