MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bf4d1c0e5018bdd01970b9834eaffd21f8d456d8cefe066c305cf8f8317024b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bf4d1c0e5018bdd01970b9834eaffd21f8d456d8cefe066c305cf8f8317024b
SHA3-384 hash: 2bb4dd3de0dcbba963db96b51d9fa0195b343537b01036e41ac830d61bfa2e2ce77566140f5e174a82535b6b533c114e
SHA1 hash: d1667ae8ee8ed6062da47b2fed5c62244645362e
MD5 hash: 7d5bce45fda84c850abc5bbfb63a56df
humanhash: eighteen-winner-hotel-hawaii
File name:New files order-PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:649'216 bytes
First seen:2020-06-19 04:38:37 UTC
Last seen:2020-06-19 05:46:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:P8+d9gMdLXTWFGMap3wlbcRUlvT5xRg+L9PTPBzW1JJovLpM5dIH2XBB+qUoH:PRvldzK4wa2vBgs6155dIHABYL
Threatray 10'693 similar samples on MalwareBazaar
TLSH 2AD44B3D7A85B916D63D0A3204A95294B2B1E9437F02C70F7ACA479C6E133DF3B46399
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19864/
Detection(s):
SecuriteInfo.com.Artemis.22578.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-19 04:01:10 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=np2ndqhfagf52amxbomdj2x72ipy2rlnrtx6azwdaxhy7ayxajfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02fafe7d00909727bb91670774f201dc8ed5122c7c0c6c25c2c8b227b6a77df4
AgentTesla
1561967cff081a9b139de45a82e6a61e2f5b01834d4666f2fc88cf0c52220268
AgentTesla
3bffd1c8945804a71bca4c0861dd2f26362847c59d6adc15b8c3ecb82d5aa026
AgentTesla
5bce10125f245dab9ac4ef1c0dece6313b43512e721f70f7c4846ebb23b1cdbf
AgentTesla
6571a6a2f8b29ed6ff0f9df04eb1081d339d76f81f3e1cf83245f7d1485907cc
AgentTesla
6a9aed50d116430db97c672e5b6083da7f6b3d0221cd9bc35de7ee4dfd54e6f0
AgentTesla
75ef91b36f46cb8875ffaa6af3cb7f38f8689ee9c16e50f9af87966a2648962f
AgentTesla
ad3cb5c83f96b193664de0960138edd1219c75881de62e67eceade8ae799c174
AgentTesla
d149b8b19b0a2841e483fb8e2671390b2073bba721dad0f24eeb0fbc23f4c954
AgentTesla
dab4f3595b805cc1d2e40f0b625a553cfc6c95db176df4f0673c42f8f02e4cd7
AgentTesla
+ 10'683 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-6wp566t2me/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz f36983f4dc216254c05477d6b729663ba4d8b1dc2d5145b36fe67b288bd7992b

AgentTesla

Executable exe 6bf4d1c0e5018bdd01970b9834eaffd21f8d456d8cefe066c305cf8f8317024b

(this sample)

  
Dropped by
MD5 55991428d6ffd7f5af69b5b5f3895eb7
  
Dropped by
SHA256 f36983f4dc216254c05477d6b729663ba4d8b1dc2d5145b36fe67b288bd7992b
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19864/

Comments