MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67
SHA3-384 hash: 3ddf732d9baf2c35762d0ac05d50f91b54afff6302fdda8be140b8f9feff6b36b09aa628f27c13f35f463894a112a87a
SHA1 hash: 076179b12b5ac08774a8b82b45c10c794501c4ee
MD5 hash: ee74b61557293a10e7720b8456b5f870
humanhash: seventeen-nine-connecticut-hydrogen
File name:KE_20200320_PI Confirmation.r00
Download: download sample
Signature AgentTesla
Create hunting rule
File size:668'213 bytes
First seen:2023-09-16 13:58:47 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:Qw1v+9wxtxUXcIB/ULxOSIJ5n8I1c/kQSiFlQNnsju4LG5rWQN2x:tvyG6sAU+J5nBiFlQ5sLGwma
TLSH T1E3E423A1D9F2FDC95824DAB07C43796A01D43CA582C73595B94FBCEA486A3420F677F0
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla r00 zip


Avatar
cocaman
Malicious email (T1566.001)
From: "idilsaki@aquaflex.com.tr <idilsaki@aquaflex.com.tr>" (likely spoofed)
Received: "from aquaflex.com.tr (unknown [94.156.6.100]) "
Date: "16 Sep 2023 12:52:10 +0200"
Subject: "RE:RE: PI Confirmation"
Attachment: "KE_20200320_PI Confirmation.r00"

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:KE_20200320_PI Confirmation.exe
File size:861'696 bytes
SHA256 hash: 0c836d55cf1ef40b9e609c2f3602a1a919df36935821f5c85745ccea2300e2ac
MD5 hash: 356d19be7d3a52d0a623cf6b59537910
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6505b4a732ffdb7a7a07e18b/reports/6cda59b4-a019-4202-adf3-4e346262c16f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-15 14:10:05 UTC
File Type:
Binary (Archive)
Extracted files:
45
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nny3ib7jswczhi25cg7ok3ojrn76rgpdzorpmxspjsnfztiebntq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6b71b407e9958593a35d11bee56dc98b7fe899e3cba2f65e4f4c9a5ccd040b67

(this sample)

AgentTesla

Executable exe 0c836d55cf1ef40b9e609c2f3602a1a919df36935821f5c85745ccea2300e2ac

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0c836d55cf1ef40b9e609c2f3602a1a919df36935821f5c85745ccea2300e2ac
  
Dropping
AgentTesla

Comments