MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cacb53730640ce58bbb9c5bc6c6d39b5ea9c7a0d21eec9ce131f82c0e159361. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cacb53730640ce58bbb9c5bc6c6d39b5ea9c7a0d21eec9ce131f82c0e159361
SHA3-384 hash: e019da0820aafc4692f91a3459ce6090d4c4ac546ea056dee98234c8ad1ae644ca8b845d97d66ca6cc96894c708a9ea9
SHA1 hash: c167f4c7e59ea5e34ae6da16403b3faec0fa1a14
MD5 hash: 2339ad41241eb758d7070d1dd58fd461
humanhash: zulu-salami-connecticut-victor
File name:New Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:427'008 bytes
First seen:2020-05-25 12:59:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:pYiyzfdmqw2RR4t3ZQ+USpUBDJE3QZNplSmGzLNKxt:iw2RWZQLasE3Wumwgxt
Threatray 10'586 similar samples on MalwareBazaar
TLSH E894123E63B86E23C6FA51B894D0D291BFB0D3A55282F3CBF94092B85E63BD04543617
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: serve0.fp189.pw
Sending IP: 173.82.243.104
From: Jose Landeros <info@fp189.pw>
Subject: New order
Attachment: New Order.arj (contains "New Order.exe")

AgentTesla SMTP exfil server:
mail.navarronavarrosl.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 13:36:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13e139bbe178716bcb38916a53a04942c863890ba52aaec6d669eb902e1fb9f6
AgentTesla
2176a0e2b600d06c89a8ebeeea19444df5a5ede09639af04f88d734b7fe01633
AgentTesla
4850ce25c3caf99fc7f558ec6666d08c43d69ed4e1be9a8fd37f289db69561ab
AgentTesla
642ce48af8f6fb3c7a74225655ef59a92e7cd4fcb98dc4af02359fb3490a9c55
AgentTesla
89c3a9a4a75c80b3552df2a5bda935056bc3a55a6f76b264645593cb966e2b74
AgentTesla
b3088a313a00c6774cb853379f427ffaab01a528a4561f814e2c7af24e5bfba2
AgentTesla
c4a2c8397cfa4f7f16a317aad541b6c48e35c4420249f702b2c6f01faf66ef61
AgentTesla
d64c548cdf246a19722734b1c94f30252f00873a2e0960dccd05101f05e845d9
AgentTesla
d807dcfd04f5d5eac71522a29a6911c504039edb6277ba9b35953ca9f5fcef8f
AgentTesla
e6f512cfa75e700baf5ca97be34d3b8dc03f4459dd2c11b018ad18d68140a988
AgentTesla
+ 10'576 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-fzqzj9kevn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 6ce07a9822ab0f92ea31954eead2c821a3a5d569c7468e01947ec504a2e5f77e

AgentTesla

Executable exe 6cacb53730640ce58bbb9c5bc6c6d39b5ea9c7a0d21eec9ce131f82c0e159361

(this sample)

  
Dropped by
MD5 d9e16737b268e541c68cd8fc20682766
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6ce07a9822ab0f92ea31954eead2c821a3a5d569c7468e01947ec504a2e5f77e

Comments