MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bc91265c3e4b3aba6f05a52e22273b445be07032a2e56c4eab5bec41e963350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	6bc91265c3e4b3aba6f05a52e22273b445be07032a2e56c4eab5bec41e963350
SHA3-384 hash:	8a2f58b0a00ad1e6eb561fb4f284601838846a0198943f1d988c5302eeccf056458f40070b82110aeb76b5523df28bd5
SHA1 hash:	399d93ab7c1e1ca9b9be2cd45dc00781597ebb5f
MD5 hash:	0060cf4ff7daf294ea45bb30977b632b
humanhash:	vegan-happy-jersey-solar
File name:	MSKU4460632.SHIPPING DOCS. AWB PACKING LIST ISO CERTIFICATE BILL OF LANDING DRAFT. COMMERCIAL INVOICE SHIPMENT INVPLTHS0094587231.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	752'640 bytes
First seen:	2021-05-05 05:36:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:UDoMQ98OAQ9ciLqcGuMRHCqF/QicPKxH9W5rw6pUvB+2zht5Wedg5RVYg6thmv:GoEOAQ9fL5GuMRHnF/YgHYXpMBzhtTgz
Threatray	4'674 similar samples on MalwareBazaar
TLSH	5AF423AC1D8B798ECA3FC2B01350A6C925FBDA473503DE581E92A621D4C77C2DB535B2
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/149899/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/711432

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6bc91265c3e4b3aba6f05a52e22273b445be07032a2e56c4eab5bec41e963350/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2021-05-05 03:07:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

6 of 47 (12.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nperezod4sz2xjxqljjoeittwrc34bydfixfnrhkww7mihuwgnia._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

08f9180d3f0932f1cd782a0513e920ebeef8f16eb8736e28decaa3ae427526cf

AgentTesla

21bd5e4845c12f0601ae8988314a461339e03e78267cac80f4a34ce93ad404ab

AgentTesla

865be6910571e1334ef42b0396a44f76c45ad6048132da31f5599fe2dcfa2081

AgentTesla

9829d39cbbfccc4142a5374e10f03470f60ea6e1f8a927b2516c8166f9b97f69

AgentTesla

9b49a9b7baa2dd6642fcc3c97976f6f1ddb0f8d6b4261ce4b32583c75a572e4e

AgentTesla

a7df178348dd3563a0a0a44ec82af4b6bc15bf352337ef690fac078cfee6ec49

AgentTesla

e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0

AgentTesla

f04d5b287971f60d5f04b262f3714a790b7d7c9b591ab88faa1d1f5244792d09

AgentTesla

f7485552ad15dd1f3dce2579b733e104dea810e8bbc1defd06fc4de935ca6a17

AgentTesla

+ 4'664 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210505-1fv6ccr4nn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/748d326d-b26b-478b-a56c-2f1579a9e4a1/

SH256 hash:

6bc91265c3e4b3aba6f05a52e22273b445be07032a2e56c4eab5bec41e963350

MD5 hash:

0060cf4ff7daf294ea45bb30977b632b

SHA1 hash:

399d93ab7c1e1ca9b9be2cd45dc00781597ebb5f

Link:

https://www.unpac.me/results/748d326d-b26b-478b-a56c-2f1579a9e4a1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6bc91265c3e4b3aba6f05a52e22273b445be07032a2e56c4eab5bec41e963350

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.