MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d5e3ff4357858fd6bbab3840d78714f9126a5cae6771ba45b833108c2da8b6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	6d5e3ff4357858fd6bbab3840d78714f9126a5cae6771ba45b833108c2da8b6f
SHA3-384 hash:	745d03e93547ede97395348eab76b966025e4ed255042c781607fb24a716b88a51a022cf052f3be3b5d300f12c508bad
SHA1 hash:	1b5013438a97d9a620a6ddaf687f5e31b58fca00
MD5 hash:	91f2eb065ad2dc3a29b1f28668342e56
humanhash:	bacon-pasta-winner-butter
File name:	RegAsm.bin
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	665'088 bytes
First seen:	2020-09-21 10:09:47 UTC
Last seen:	2020-09-21 10:43:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:vc5J+WQObWr9KZLJLUf9snBS4csPYae6qfzeQA:VWQurhhUF54clNf7eR
Threatray	3 similar samples on MalwareBazaar
TLSH	36E4AE042BD98B56F2AE07BDD0F6125083B0B96366BBD74F5D9030FE2D13355A901BAB
Reporter	JAMESWT_WT
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34559787.8188.24354.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Replacing files

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Sending an HTTP GET request

Moving a file to the %AppData% subdirectory

Creating a file

Enabling the 'hidden' option for recently created files

Running batch commands

Launching a process

Stealing user critical data

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/471129

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to steal Mail credentials (via file access)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d5e3ff4357858fd6bbab3840d78714f9126a5cae6771ba45b833108c2da8b6f/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-09-21 01:40:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvpd75bvpbmp2252woca26drj6isnjok4z3rxjc3qmyqrqw2rnxq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b

AgentTesla

e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b

AgentTesla

Result

Malware family:

echelon

Score:

10/10

Tags:

discovery stealer spyware family:echelon

Link:

https://tria.ge/reports/200921-t88w3lhtn2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Looks up external IP address via web service

Accesses cryptocurrency wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

Echelon

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d5e3ff4357858fd6bbab3840d78714f9126a5cae6771ba45b833108c2da8b6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/3xp0rtblog/status/1307735266787024896?s=20

Cape

https://www.capesandbox.com/analysis/4/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample