MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c3660bf20a2e8b08dd1419f6a1f12195e83d7064724e7de895d648d5063a72e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	6c3660bf20a2e8b08dd1419f6a1f12195e83d7064724e7de895d648d5063a72e
SHA3-384 hash:	7ec468689511b888e43f88cf9bdc4defaa2f405f5f12c171f2916c469b481532e0a1f7ced75531b9bf42cc15ce944dee
SHA1 hash:	079eba2add88c93c6f6168a04a2b0b32d2190f24
MD5 hash:	c2b231062cbe27b6a2b42637152c8967
humanhash:	hotel-yankee-green-may
File name:	c2b231062cbe27b6a2b42637152c8967.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	37'376 bytes
First seen:	2021-04-25 07:05:58 UTC
Last seen:	2021-04-25 07:39:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'649 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	384:8JDr1xmVMrL9Drn37QzIPc7MOQs8XIQH/7ppl/Mm+l03RdJmXswe6bKi:891xmeF7Q0UQD1f333D6so
Threatray	4'178 similar samples on MalwareBazaar
TLSH	D0F2542EFF03B676C64651324CA372E05AEF43968935C75BF9EEA63449CA214095FF80
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.cerak.co.rs:587

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c2b231062cbe27b6a2b42637152c8967.exe

Verdict:

Malicious activity

Analysis date:

2021-04-25 07:08:00 UTC

Tags:

trojan dtloader loader

Link:

https://app.any.run/tasks/c50ae401-ccc9-4979-a677-24e1866e8072

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/144061/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36779772.9037.20449.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Unauthorized injection to a recently created process

Adding an access-denied ACE

Creating a window

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb125801-5277-40ed-b450-ea711d6c5b5b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/696958

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6c3660bf20a2e8b08dd1419f6a1f12195e83d7064724e7de895d648d5063a72e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-25 00:58:53 UTC

AV detection:

11 of 47 (23.40%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nq3gbpzaululbdorigpwuhysdfpihvygi4sopxujlvsi2uddu4xa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

413f22dc59eee0b4d6a13b1264a4370d7957c73766050ab62bde81e8e496c8f7

AgentTesla

5168c572e69b3f0a5742e12e645eeefedf6c00b377540fc9ce5cff38169ccb19

AgentTesla

51d5859f266a7b373d71b9fd71d2eec4975a8d35fb01486f624b9235120e12d8

AgentTesla

52898077d59e820a64decb2133661ee42a36259da3fb5e6bfbb6c6269fed7bf4

AgentTesla

587eded992067de0dd280d6f85001be0956623bb0a4228b1893fa3cb52e58c49

AgentTesla

7d9db239a664291a5556c35a58dfc031f424dfab9fd78f5b3f3a02851bd0702e

AgentTesla

82aaa2be9712c513dc78ebab36b41fe2848e23a6b60f13023c92024af0726943

AgentTesla

8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90

AgentTesla

b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb

AgentTesla

+ 4'168 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210425-ek9vy844ea/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

6c3660bf20a2e8b08dd1419f6a1f12195e83d7064724e7de895d648d5063a72e

MD5 hash:

c2b231062cbe27b6a2b42637152c8967

SHA1 hash:

079eba2add88c93c6f6168a04a2b0b32d2190f24

Link:

https://www.unpac.me/results/5f003e72-accd-4ba4-abb3-e659eff840a2/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 6c3660bf20a2e8b08dd1419f6a1f12195e83d7064724e7de895d648d5063a72e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1145522/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/144061/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample