MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b6a0a9a882003f1313cc2ad29a0cc12fda5f22ef77e239ce65fca25ae95b058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b6a0a9a882003f1313cc2ad29a0cc12fda5f22ef77e239ce65fca25ae95b058
SHA3-384 hash: d4d00facb006a51e3641bc5be0970a043e28a8e85c6f9eedd3f9290dda13aa9313074d1aa6243c7e96631d9c63bf4d18
SHA1 hash: 731198866de974caaa30b61045b5750b45627d68
MD5 hash: f02d19d80a6651e44e7eb78a9c96a938
humanhash: snake-double-potato-maryland
File name:BANK TRANSFER ACTIVITY DETAILS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:448'000 bytes
First seen:2020-10-22 06:53:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:dgCQiXgNJUkHLCGIvPNlYZTdLP0C7ifNfvuSSSr:eCGw
Threatray 730 similar samples on MalwareBazaar
TLSH 8A948F2039BB905EF273EE7AADD4B4E6CA5BF7733505A8691061C3024513A83DFC953A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: bnp-propulsion.com.cn
Sending IP: 103.125.191.94
From: Zhuoyun Duan/段卓云<zhuoyun.duan@bnp-propulsion.com.cn>
Subject: Zhuoyun Duan/段卓云<zhuoyun.duan@bnp-propulsion.com.cn>
Attachment: BANK TRANSFER ACTIVITY DETAILS.zip (contains "BANK TRANSFER ACTIVITY DETAILS.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74492/
Detection(s):
Sanesecurity.Rogue.0hr.20201022-0807.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506709
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b6a0a9a882003f1313cc2ad29a0cc12fda5f22ef77e239ce65fca25ae95b058/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 01:51:22 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnvavguieab7cmj4ykwstigmcl62l4ro657chhhgl7fclluvwbma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
564430d34398ae8a04894b90c02aadfb95fce13a06644aa095f533a73aac4ff9
AgentTesla
6e032f7806e9839c8652495c42ded1cc153c6bf3fe2250dee2cd87132f95892c
AgentTesla
9db4c4a75f04844a37e15aa0762751beed2422027496e06b76a435c953d94330
AgentTesla
a183a94f7c049de1770e76be272a29e0ec7b3b4344ef5c4dc2fe9ddd5962b5bd
AgentTesla
a47357333cedf89cd51745ccd03a9bc33653e6aa5dcce2214934286d7c6b727d
AgentTesla
be6d4618333f5bca53591236f870ab7d368843e7b32b3333d97a4a72d920559a
AgentTesla
ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f
AgentTesla
df1fd43f5e715d4b610466b4cc55331d3978e1f771c3991d9844c72345a5abbb
AgentTesla
f010bc0295db81514c87fde7298f3425670ae67f4f24a21f20232a10eb644907
AgentTesla
+ 720 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201022-2bhqldhbda/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6b6a0a9a882003f1313cc2ad29a0cc12fda5f22ef77e239ce65fca25ae95b058
MD5 hash:
f02d19d80a6651e44e7eb78a9c96a938
SHA1 hash:
731198866de974caaa30b61045b5750b45627d68
Link:
https://www.unpac.me/results/a2962e0f-37de-4f95-a876-6266587999cd/
SH256 hash:
3513d4e62fb1343d4b5b86e28416618bdeb3d0480cccf958b266f2b7e8269e17
MD5 hash:
6586a8d394939a03dfbd5688b33fc532
SHA1 hash:
f75da85daf8950cff0a218a3d54e75d61c9e5810
Link:
https://www.unpac.me/results/a2962e0f-37de-4f95-a876-6266587999cd/
SH256 hash:
5fda7ee9bc5175075ee399ebf129d02f46eee3955ec06d359409e913ba7612d7
MD5 hash:
a10645a9d67ce46819443318e9b3063c
SHA1 hash:
a1ba5cfd0eb7fda77e513e3cc5c647baba61e29e
Link:
https://www.unpac.me/results/a2962e0f-37de-4f95-a876-6266587999cd/
SH256 hash:
81dfb4bb2f591fa7d68e98e684811e5a0a6ffbf7b2ea5cb7ba7bc3f2f13e6bf8
MD5 hash:
87378031f9bd971f09b0a8347ac42cca
SHA1 hash:
a272cf99e5acabdc98f3e633cc8cf19c730aa139
Link:
https://www.unpac.me/results/a2962e0f-37de-4f95-a876-6266587999cd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 58edb1047b20cc74e35789491b8ece632bc47119426eff32ce0575db269cdda8

AgentTesla

Executable exe 6b6a0a9a882003f1313cc2ad29a0cc12fda5f22ef77e239ce65fca25ae95b058

(this sample)

  
Dropped by
MD5 2048d4ae851af46c959d6c3b693bc563
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74492/
  
Dropped by
SHA256 58edb1047b20cc74e35789491b8ece632bc47119426eff32ce0575db269cdda8

Comments