MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d75610ed73dcee36125f4b3e248196b805c3d0c2039d4ec16aae998eb729b49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	6d75610ed73dcee36125f4b3e248196b805c3d0c2039d4ec16aae998eb729b49
SHA3-384 hash:	22501dcd8ba69117c119aa68b19a246699915e4c56f72765a61c191fe8d33095518c5f5dc1b6049e9facdce8233c824b
SHA1 hash:	c93928ca5749f784150e8791e5b639e9db3f1c6e
MD5 hash:	57f8e760393e067529a04f9a71b81ff5
humanhash:	pizza-tennessee-social-massachusetts
File name:	copia de pago.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	58'368 bytes
First seen:	2022-03-01 09:43:07 UTC
Last seen:	2022-03-01 14:46:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	768:hwTudAeb3XokaTh6RidhkGWqlRi55g8dtA6ohgAftZNViCnf1K0osAYqF85Rw+dT:hwTkj1kEwdhCmRi5imA6jeVrNKf0/
Threatray	15'339 similar samples on MalwareBazaar
TLSH	T149435B11DAB9E82DC82ACD7ED493C1600633FD095CC396978F91FA9DBC7074A7942B25
File icon (PE):
dhash icon	4f4dd5d0f0e47133 (2 x AgentTesla, 2 x Metasploit)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/245691/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Launching a process

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware obfuscated packed shell32.dll update.exe

Link:

https://www.filescan.io/uploads/621deae50cd58dbd9259ceee/reports/324f022b-71fa-47db-adb6-1994bf714b71/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ef514ebe-ddd1-44d0-94fa-e1a5ecab4e6b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/948012

Signature

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d75610ed73dcee36125f4b3e248196b805c3d0c2039d4ec16aae998eb729b49/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-01 09:44:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nv2wcdwxhxhogyjf6sz6esaznoafypimea45j3awvluzr23stneq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

32ed1460a90d3d0b8b062010d380c0fa9f4e945040667a692202d25a6f14592c

AgentTesla

4c192fc1dc7f635c130772d20f28ae4f5457cf1472b66a12f3dc25fec4c8113b

AgentTesla

752395f8fb12c03c3c4ad25060efc325c206e23ce270bc1dfb3b037190a8d8a3

AgentTesla

9f02653c0b54c6510e0a08e07bbb27d61e53dce664551b9363537e36ec4b51e6

AgentTesla

c332668f26203de2c05ccb54384fb725095ce6812292f7f90285e37951ef589e

AgentTesla

d67f9e40bfba1f8b8f973f7fc52efca0023e02d26143284853fba9a367af5760

AgentTesla

eee094c1cacd32b54a005e1d218c9c5659485e7291d7c4d6b07dcd4f45e4cf45

AgentTesla

+ 15'329 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/220301-lqg6lsheg2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

6d75610ed73dcee36125f4b3e248196b805c3d0c2039d4ec16aae998eb729b49

MD5 hash:

57f8e760393e067529a04f9a71b81ff5

SHA1 hash:

c93928ca5749f784150e8791e5b639e9db3f1c6e

Link:

https://www.unpac.me/results/94e74ec9-0ec5-43dc-b033-bb6ad0de5173/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6d75610ed73d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d75610ed73dcee36125f4b3e248196b805c3d0c2039d4ec16aae998eb729b49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research