MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e1a17d620bdeba7661494a769ebc1fb0fad89fbc72c5c07434f41ae3253322b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e1a17d620bdeba7661494a769ebc1fb0fad89fbc72c5c07434f41ae3253322b
SHA3-384 hash: e9a129687857ddbc97ec035d2eb4cbca8622a02ff556bbe338c2bc24e3c8339923a41946eeb351b705ba42ad9e7998f1
SHA1 hash: a4361b993d61c37e58c6552ea59b4634ddc8cda3
MD5 hash: 3c9f99f80db4eda2078a8564afe7185f
humanhash: indigo-wolfram-hydrogen-nine
File name:3c9f99f80db4eda2078a8564afe7185f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:31'240 bytes
First seen:2020-12-08 18:38:41 UTC
Last seen:2020-12-08 19:51:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 384:+kY3N2Tsgj8RHc3s2A96YQ+vbGzVPTT240frwXkNBvVPgSWOmWkVDgf2h:fQa7J3jMDBvbmPTMwXkNBvxgiSUf2h
Threatray 1'735 similar samples on MalwareBazaar
TLSH 40E2527E3AFC4D31C4F5A2320CA2245102F161CF9D26C6BD5EE96CCA0782793BBC6959
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NK125 Original.bat
Verdict:
Malicious activity
Analysis date:
2020-12-09 20:35:00 UTC
Tags:
loader openme
Link:
https://app.any.run/tasks/58965764-dc89-4d7d-9696-13d5aa20be8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107338/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilCO.34670.bm1@auAUMWh.354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/558371
Signature
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 328282 Sample: 8cXVAdvZhh.exe Startdate: 08/12/2020 Architecture: WINDOWS Score: 80 57 hastebin.com 2->57 65 Yara detected AgentTesla 2->65 67 Connects to a pastebin service (likely for C&C) 2->67 8 8cXVAdvZhh.exe 18 6 2->8         started        13 8cXVAdvZhh.exe 3 2->13         started        15 8cXVAdvZhh.exe 3 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 59 hastebin.com 172.67.143.180, 443, 49726, 49736 CLOUDFLARENETUS United States 8->59 55 C:\Users\user\AppData\...\8cXVAdvZhh.exe, PE32 8->55 dropped 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->69 71 Creates an undocumented autostart registry key 8->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->73 77 3 other signatures 8->77 19 cmd.exe 1 8->19         started        21 8cXVAdvZhh.exe 2 8->21         started        75 Injects a PE file into a foreign processes 13->75 23 cmd.exe 1 13->23         started        35 2 other processes 13->35 61 104.24.127.89, 443, 49737, 49738 CLOUDFLARENETUS United States 15->61 63 192.168.2.1 unknown unknown 15->63 25 cmd.exe 15->25         started        27 8cXVAdvZhh.exe 15->27         started        29 cmd.exe 17->29         started        31 cmd.exe 17->31         started        33 8cXVAdvZhh.exe 17->33         started        file6 signatures7 process8 process9 37 conhost.exe 19->37         started        39 timeout.exe 1 19->39         started        41 conhost.exe 23->41         started        43 timeout.exe 1 23->43         started        45 conhost.exe 25->45         started        47 timeout.exe 25->47         started        49 conhost.exe 29->49         started        51 timeout.exe 29->51         started        53 2 other processes 31->53
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6e1a17d620bdeba7661494a769ebc1fb0fad89fbc72c5c07434f41ae3253322b/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 17:35:45 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nynbpvraxxv2ozqusstwt26b7mh23cp3y4wfyb2dj5a24mstgivq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
252cd2dc483bc1fe2a6b555dbf762cac69a24b6526abd6cbc4c501eb7ac21b21
AgentTesla
2b299b1a485f9387dcc44b788637e9d81430d06a0a64c2bf96754b153bee7746
AgentTesla
36f9ec0c44ca2ed814b6c301f89a1e31f2f84eed689569fba5ec0ec9464c2342
AgentTesla
541d2b3f34842b415901f2a40880b3fd44344b5ac7d78c991ee11456ae88e30a
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641
AgentTesla
c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230
AgentTesla
e5287a458eafaf621201ab6b5c6e966ee2b0dc02fa2b50b91bf537bbe023e74c
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 1'725 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201208-tm7gbneh7a/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
6e1a17d620bdeba7661494a769ebc1fb0fad89fbc72c5c07434f41ae3253322b
MD5 hash:
3c9f99f80db4eda2078a8564afe7185f
SHA1 hash:
a4361b993d61c37e58c6552ea59b4634ddc8cda3
Link:
https://www.unpac.me/results/e9a70d35-1a76-43f1-961e-ca336ad6a67b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6e1a17d620bdeba7661494a769ebc1fb0fad89fbc72c5c07434f41ae3253322b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 6e1a17d620bdeba7661494a769ebc1fb0fad89fbc72c5c07434f41ae3253322b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/899403/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107338/

Comments