MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c331442b5cc2b6bdec1c4ba1175373a44fabcfa6d342f2cd91315e22628be14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	6c331442b5cc2b6bdec1c4ba1175373a44fabcfa6d342f2cd91315e22628be14
SHA3-384 hash:	4cdc3fcef9bee8716d07d6416fc20c9a1c080ed641ce3818d1d4c4261d14b1233c93e3c8fd37beefbde4d2f31fc0e5ec
SHA1 hash:	8ff6fbd0d3e67abba6ed77c3754f5448a2804516
MD5 hash:	ad9402d8750681c54151a7876d6f3362
humanhash:	december-arizona-ohio-network
File name:	noah.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	466'944 bytes
First seen:	2020-10-23 11:37:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:bGUR5Mu/W2wwJsf+oqBjUyZVga/MScqNLfKOWfrOGV2rW8490OH1sCjZUt1C:bGm5jwb2nv7/TNLfJMi490OH1sm
Threatray	839 similar samples on MalwareBazaar
TLSH	EEA45B2DA609FF74E52FB0B0400250F20552FBD26EB6F20F6F813D99DD527990A9AE47
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: web032.mivamerchant.net
Sending IP: 216.188.128.186
From: Export Sales <info@jemngroup.com>
Reply-To: info@jemingroup.com
Subject: RE: Swift for transfer EUR 58.000,00
Attachment: Swift EUR 58.000,00.rar (contains "noah.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/75030/

Detection(s):

SecuriteInfo.com.ArtemisAD9402D87506.14195.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Creating a window

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/508064

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c331442b5cc2b6bdec1c4ba1175373a44fabcfa6d342f2cd91315e22628be14/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-23 09:31:02 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqzriqvvzqvwxxwbys5bc5jxhjcpvph2nu2c6lgzcmk6ejrixyka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3b2ea32978b65edcc7308a2860e788b7631ecdde10e72b689268f3fdffdaeb4f

AgentTesla

5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c

AgentTesla

7493353a29f1591f88e0013c3aa0fb8810f49be33b111e6c5f1e462b16644c45

AgentTesla

b6dac3c563e7b771fa56992d6c5ac321278e8ff4653b5f50f283855e672cdb3d

AgentTesla

b7d55f5145ac91a9b2e9d1b98f65bf6844248ebd6612be241e2fe5755dcf0733

AgentTesla

d4ad194829837ef26e4edc89c9a7bd0db40904f93517cdc137bc78176ef617fe

AgentTesla

de86cb4227717aa6e3818fc1f0ec62d733b1e5e941f410db7c0065ea4c4f7e94

AgentTesla

ed2d120151830f0dd5f1ba2f201d05bdf90702efa5d41365bd54b9b04c15aa28

AgentTesla

fe2f20398cff7bea0e10e10940e0936e2525ba8dba51263387f1b1d82d8b1aea

AgentTesla

+ 829 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201023-yychjeav9a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

76955cd8fff7c3e46c3663283dc75366b413c2ee02748e51309be2b36c7af225

MD5 hash:

a915ed51361e07a6c7c0a8a27ada52fe

SHA1 hash:

ec6c28067aa42b165cc60bee734995b26348871a

Link:

https://www.unpac.me/results/20d73004-befc-4a3f-b6af-e85cd87f129f/

SH256 hash:

6c331442b5cc2b6bdec1c4ba1175373a44fabcfa6d342f2cd91315e22628be14

MD5 hash:

ad9402d8750681c54151a7876d6f3362

SHA1 hash:

8ff6fbd0d3e67abba6ed77c3754f5448a2804516

Link:

https://www.unpac.me/results/20d73004-befc-4a3f-b6af-e85cd87f129f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6c331442b5cc2b6bdec1c4ba1175373a44fabcfa6d342f2cd91315e22628be14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.