MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dfe16250bb830a1f95feb9d365d56fa7b0f9c48371fdb8fe81cd844ca262d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	6dfe16250bb830a1f95feb9d365d56fa7b0f9c48371fdb8fe81cd844ca262d83
SHA3-384 hash:	f16ffa5bdc10547624f67d06d89b2fe606acbf747472f6f1391cb390d5dd3f86be40eaad3a51aa6e06da4f6a0eaed824
SHA1 hash:	494604b46b5c717c89e32c6eac10b1ff542c2ed5
MD5 hash:	6d29afda87e482e464edf200b602dca1
humanhash:	mango-blossom-tennis-colorado
File name:	Md7YRHWBvo2Zprb.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	902'656 bytes
First seen:	2021-10-07 12:29:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:E9A76Uq8WcCOtaUaxB+6khy0gM6Tx5UourIRfUTdrgESfjif:E3UDWcCCaz+th56Tz4IUgESW
Threatray	10'961 similar samples on MalwareBazaar
TLSH	T17815205363AC8ED4C06792B4DFC1C4B96C09D9EE421A53B4AB12AB64F75FC031E6A473
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Md7YRHWBvo2Zprb.exe

Verdict:

Suspicious activity

Analysis date:

2021-10-07 12:37:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/38860ce0-47b8-4149-a73b-8bac24831de5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/195847/

Detection(s):

SecuriteInfo.com.Variant.Strictor.256637.18899.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Creating a file in the %temp% directory

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615ee84ee3d213d202b9db43/reports/932c5a6f-2d2a-47d1-86b3-08a0c54cef8d/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec0567f8-f4ee-4913-a809-dc05a50faa2f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/866370

Signature

.NET source code contains very large strings

Found malware configuration

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6dfe16250bb830a1f95feb9d365d56fa7b0f9c48371fdb8fe81cd844ca262d83/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-07 12:30:12 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nx7bmjilxaykd6k75ootmxkw7j5q7hcig4p5xd7idtmejsrgfwbq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

423f9bf9dd367bc3e1d143c112f1fcb4fcd61f81615659451932cd37b4db556b

AgentTesla

5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e

AgentTesla

95345176c2469dc184001d8055b0257760235a947c4ab56bd25155e8e7911667

AgentTesla

abda73763ad36ac411097107443056d1df717f139c8bc7492aec3d6ef33a3242

AgentTesla

bda692e1e48b9e44403b52b04830d2de3a7e68aa5dce3f3a1f4329c7007b385d

AgentTesla

d55058cb53b44c6372ef7fb902fcdb305ab3778229f12a1e62b0c8d05bcc9791

AgentTesla

fb7082ae28a26f373e846efa9077d2b5a35f71f09f8273b66288d1cf04afc913

AgentTesla

+ 10'951 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211007-ppgp8scch7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

.NET Reactor proctector

AgentTesla Payload

AgentTesla

Contains code to disable Windows Defender

Unpacked files

SH256 hash:

ea8ddc457341a65ebb058d29a1d1a256c4b7cdf06f8be9802ed1c92e1bdb796c

MD5 hash:

05e4d6f4b9fb5ced9435a7408824f3b4

SHA1 hash:

ca6259a229c2a60469dd51dd1b874acc4508db65

Link:

https://www.unpac.me/results/991255d1-1338-417a-8948-674ce3954b9f/

SH256 hash:

43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345

MD5 hash:

f62ab5d3528d5a3b9e270ea1f9347868

SHA1 hash:

6a74e87711c615adbd9145f829a33f55b7e42dd6

Link:

https://www.unpac.me/results/991255d1-1338-417a-8948-674ce3954b9f/

SH256 hash:

dff2f68fb0d2cd191f134d2a22923001f1b5d1e3a7fb9f3b1f726997277c8349

MD5 hash:

5beae82189030b4689720e0052da5867

SHA1 hash:

5803133cca79ad7e89cd7d5e76daeb4123429e89

Link:

https://www.unpac.me/results/991255d1-1338-417a-8948-674ce3954b9f/

SH256 hash:

6dfe16250bb830a1f95feb9d365d56fa7b0f9c48371fdb8fe81cd844ca262d83

MD5 hash:

6d29afda87e482e464edf200b602dca1

SHA1 hash:

494604b46b5c717c89e32c6eac10b1ff542c2ed5

Link:

https://www.unpac.me/results/991255d1-1338-417a-8948-674ce3954b9f/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6dfe16250bb8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/6dfe16250bb830a1f95feb9d365d56fa7b0f9c48371fdb8fe81cd844ca262d83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195847/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample