MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d44f8ab6e901e6a53350be7fb31f0f2bf50678440707adf46346c47c39fe91d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	6d44f8ab6e901e6a53350be7fb31f0f2bf50678440707adf46346c47c39fe91d
SHA3-384 hash:	9f9dfc47b986914fa18131128cda377d3adb212e5235770a4d88a1ba780aa34290ba400486c4e0c4bfe9497c9b140112
SHA1 hash:	0b063425127e89a6595079f33c66ec1396ebbccf
MD5 hash:	b04b1c770bf3ed9d23472087773d0e83
humanhash:	virginia-fanta-network-washington
File name:	BL Docs 204103842.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	743'936 bytes
First seen:	2021-02-08 14:33:05 UTC
Last seen:	2021-02-08 17:06:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:FiiZi970Oz6hGyQu6qj0D3wYr5wMsfILRYlxJ6IOwI0wFptD:FbZ7QLqj0D3wORkGLwcFptD
Threatray	2'515 similar samples on MalwareBazaar
TLSH	D3F4E03227E89F55D2BE37B90571922063F9F1069626D30DBDAC18CC4D65FC9A2A37C2
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BL Docs 204103842.exe

Verdict:

Malicious activity

Analysis date:

2021-02-08 14:37:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3e37e2f0-48a4-4d3a-b0d9-c65c1d4f5d76

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/116062/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.533.22486.21709.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/601883

Signature

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6d44f8ab6e901e6a53350be7fb31f0f2bf50678440707adf46346c47c39fe91d/

Threat name:

ByteCode-MSIL.Spyware.Stelega

Status:

Malicious

First seen:

2021-02-08 04:45:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvcprk3osapguuzvbpt7wmpq6k7vaz4eibyhvx2ggrwepq475eoq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3550ff88757875f1e8566d7855eacb36fa3213a1537d4125555bc71a88d55018

AgentTesla

3e10aebd7d43b95b74804dfd6619965ca3a360812f8a2fa67adb5b246e35d273

AgentTesla

800d8d254df93706903d11c9d97e4456294a4af1d600292206d273f57d4ce889

AgentTesla

83afca2bbcf01987559d5854df63d3862c931f9ac528a62d0111e78a6e7cefbe

AgentTesla

afaeffcfe0a6e4accf49f860a694f14ff25a44746b3413bbbb243546fee93717

AgentTesla

aff05449760ff99e902971d68c62bc5b86affd5f1cb40d6c911ae4c691943bec

AgentTesla

bdfce3522a6b59ac31c4912026f03f3f89bd912be68e1f596f9f2ea111a643ab

AgentTesla

f0998181a413c33d7696007625fdaa39855e454ef248ca2f2368ff2618468271

AgentTesla

f90cf6686fcfe69bb074cf65a5b7e19c8e97b1351377faa7a2477577d4171de8

AgentTesla

+ 2'505 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210208-zct9rhz3lx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849

MD5 hash:

befb0470c71d676cc891cba16088975d

SHA1 hash:

5b7143f97d1d656fd1cacf70949048c1951b639a

Link:

https://www.unpac.me/results/5ee3399c-f511-41f1-9e05-755978fc6e8c/

SH256 hash:

6d44f8ab6e901e6a53350be7fb31f0f2bf50678440707adf46346c47c39fe91d

MD5 hash:

b04b1c770bf3ed9d23472087773d0e83

SHA1 hash:

0b063425127e89a6595079f33c66ec1396ebbccf

Link:

https://www.unpac.me/results/5ee3399c-f511-41f1-9e05-755978fc6e8c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d44f8ab6e901e6a53350be7fb31f0f2bf50678440707adf46346c47c39fe91d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/116062/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample