MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146
SHA3-384 hash: 644204537b48b1e711955716b5bde596ab34d2397efc66ec589ad8d8ce0192c3f0b4c6cf034fddac2a95b3bc401703f7
SHA1 hash: 28371716eb5fbef43e44bf3eadd6872db070e82c
MD5 hash: 9869608b2a05e63259b35c2f95060e7b
humanhash: lemon-snake-floor-kansas
File name:Parking List.pdf,.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:787'456 bytes
First seen:2020-10-15 12:49:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Ogh2eUw7iewKrTQOB6uaLq/y3vJA02DpFT54fRqItzOfhcxSCXV6ZWP7r9r/+pph:9F7nwsTd7av3hapkfHtzAhcxSCF6Y1q
Threatray 8 similar samples on MalwareBazaar
TLSH 5DF4CEC1E9446AA0DC19AB716A3ACD3582237DFD6874A41C28DE3E673FFB6D31026453
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.blc.com.np:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71385/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492420
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 10:45:34 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvz3meri46gi4rg3eadjmgbn2euhtapawqz22u2p5qr24gpp6fda._file
Verdict:
unknown
Similar samples:
11f3b25ae9fd0ba16395cb35d4d528f5180ecb436d0e095f9f4f0ff1e468e8eb
AgentTesla
25f48722bf24e935d7bdca104b416f87424ced29dfec2fbebc817725f09af5f1
AgentTesla
5c5ebd97c48cdd89aeaf3977c3f7951b5351e88c6e88e09627357fc1e1226c22
AgentTesla
67eb81371ab1f5b10fee97f764cc640790bb518fa452554b34ddb4f2f7f74391
AgentTesla
7b7fd4955b651b7279580f7f52d30b7539becf0a637257ee53abeb7dcd03e3e8
AgentTesla
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
AgentTesla
ca74ca06ac3bfd92aabfc85fc7e10ae5d9e2e6306ed488eb7bf0b06640890a9f
AgentTesla
f9dfd82d610e342a0d0a21dad1df689c979f863ee1b9f978c56dee49c5bfbb69
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201015-llzctv5yvx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e58f60936e679e8e5ac09b9f71be2c182cf1fe9a8b03fc7c3e5fcbfb3e5e5a5e
MD5 hash:
18a198c6dd57cc522a729c81e93e1c63
SHA1 hash:
24c3c6297ad003f9aa57b5cf972d812f0a7ef51e
Link:
https://www.unpac.me/results/75ec58d1-09d2-465c-b506-bdb354571f13/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/75ec58d1-09d2-465c-b506-bdb354571f13/
SH256 hash:
ed59b3fc26de2b31e908f025c23d01eb8ed9834b2bdd740745e1dc0737e443b9
MD5 hash:
d67f7450a64932b410ed9cb2e02b52cc
SHA1 hash:
a4d7f12bd7f03b55b5c05ee1794e566b8521baaa
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/75ec58d1-09d2-465c-b506-bdb354571f13/
Parent samples :
765622475f6dbfe564a2c84b050b1993aa0168fb2ca34d67e4c7fb641b302678
1dbc1c2ea41a79c3046b9f0796248ba48db207c93fb7c1521e81763671298144
6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146
532051adf5893bf586b56210af5c7f3c4e8f72cfecf8ef52687f34e1fea17ab3
da505ce244393d643b3e6aec90db41401a9685c56bec2e5eb0c5117b33e66eb1
57b7d138364e73bd3a7569d66edde728f9827be45f04d78b3213f7027083d985
SH256 hash:
6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146
MD5 hash:
9869608b2a05e63259b35c2f95060e7b
SHA1 hash:
28371716eb5fbef43e44bf3eadd6872db070e82c
Link:
https://www.unpac.me/results/75ec58d1-09d2-465c-b506-bdb354571f13/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71385/

Comments