MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d2865589e86a2165f639cb417415eb23192d8a06387c5fa4a7eac14795101f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d2865589e86a2165f639cb417415eb23192d8a06387c5fa4a7eac14795101f6
SHA3-384 hash: 07c5daa88932f6fb0b7cbf4adb45e495ce12ade4611b64c4491c1fc09ca43db4401baa4cb25911e49be9c7856a89c2cb
SHA1 hash: 942972fef8bc94eb2b347820e619f7fb5fbc5285
MD5 hash: 9960ba8bdeb1a0a734c7c0ef1142c405
humanhash: steak-pennsylvania-ack-georgia
File name:9960ba8bdeb1a0a734c7c0ef1142c405.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:415'744 bytes
First seen:2020-05-31 06:33:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Ruevg2ru6DxmbbT7kMSCzr7SDAvbYAksqhcmZ:IeYwu6NcjaCzvSkTTq3
Threatray 10'702 similar samples on MalwareBazaar
TLSH 6D94128437FA6B22D9FC07F069A264501778E91AA973E7081DD760DF57A3B0042A1FDB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-31 06:35:30 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
217bb4b351efd731e57ec953549c757eab0751839f4be4c8a996a5f7a8e571a7
AgentTesla
2db853eacff3513f7c3b63f8fa58baa6f4eb2a8cb6d1b6d60ec62c85b3bc8801
AgentTesla
3203c6bd71fce4ce12368d06cff3ea603a0dc1781b18dea6ba364c7604e53d24
AgentTesla
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
AgentTesla
90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
AgentTesla
933323c4e7302a4eb50f84483b2ab939f657a35c94cb67aa59979507b0c60486
AgentTesla
94750c2deb968fcc6fa8df8438ec67e6fc4075503136b83883ca29b163559597
AgentTesla
d725785ec3970b75ecb17a7e5ac14d93ce7a54d259dffc74e8222ed8cfb8b6b3
AgentTesla
f218ca5df76d3fd3af680e0a732a71e441da31cdabfee7b9705afaa4c0037c12
AgentTesla
fd082cd2d7dc7f49e080cfff1b34ee8253aad997e1afdf879405fb8ea6655e74
AgentTesla
+ 10'692 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-phdrxb7xjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 6d2865589e86a2165f639cb417415eb23192d8a06387c5fa4a7eac14795101f6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/362132/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/326354/

Comments