MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e349d08351d823858f58319874f8b70314b4b20ec746470b1cde7659ca811b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e349d08351d823858f58319874f8b70314b4b20ec746470b1cde7659ca811b9
SHA3-384 hash: 2afd7277cde48c63a2b03bbb6fe955d0eb1c955c501fde25cdf4122bd4374184d55d134fd48e1ac3f46c1c3832baba28
SHA1 hash: c1e9235af5520308b861b9218f2938ac8b680933
MD5 hash: d9ccd8340c326c9eb0e753c9be063682
humanhash: high-alpha-nitrogen-illinois
File name:Reg_PA_Statement_B20210705 15h05m55s.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'046'016 bytes
First seen:2021-08-05 11:37:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qZCXESbR4MB8o5kK1ZKkzZuBMVvYIYg9R6uqFX/N1fVNia+NB1CThHWhXS6DbI:sCXgo2KncBkYo9R6P/NJKao7CTxWhXU
Threatray 7'873 similar samples on MalwareBazaar
TLSH T15F2512116690A953D9AC0A750FAAE1304FBC5D169628D66C3DC83D4734BFBC3272A9F3
dhash icon e869d4f0f0f0f070 (12 x AgentTesla, 7 x SnakeKeylogger, 6 x Formbook)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Reg_PA_Statement_B20210705 15h05m55s.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-05 11:38:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d57801ef-3eaa-4a22-b7bf-81887a7e8978

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176625/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20210804-2007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9dad329-ce18-44f5-aaad-2f34b4388b59
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827718
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460149 Sample: Reg_PA_Statement_B20210705 ... Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 6 Reg_PA_Statement_B20210705 15h05m55s.exe 3 2->6         started        10 NXLun.exe 2 2->10         started        12 NXLun.exe 1 2->12         started        process3 file4 25 Reg_PA_Statement_B...5 15h05m55s.exe.log, ASCII 6->25 dropped 53 Writes to foreign memory regions 6->53 55 Injects a PE file into a foreign processes 6->55 14 RegSvcs.exe 2 4 6->14         started        19 RegSvcs.exe 6->19         started        21 conhost.exe 10->21         started        23 conhost.exe 12->23         started        signatures5 process6 dnsIp7 31 mail.citechco.net 203.191.33.181, 49754, 587 CYBERNET-BD-ASGrameenCybernetLtdBangladeshASforloca Bangladesh 14->31 27 C:\Users\user\AppData\Roaming\...27XLun.exe, PE32 14->27 dropped 29 C:\Windows\System32\drivers\etc\hosts, ASCII 14->29 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 43 3 other signatures 14->43 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->41 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6e349d08351d823858f58319874f8b70314b4b20ec746470b1cde7659ca811b9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 10:33:41 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ny2j2cbvdwbdqwhvqmmyot4loayuwsza5r2gi4frzxtwlhficg4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2f69e9d9014ca9885e5e09f8db773d069b524066e038eeae4377ea6c554fbf95
AgentTesla
540ea98c1188f5e8bf41cd359f02664181fb6d04acccfd4408de1e1f4ac203a0
AgentTesla
66c452b78b6021522f6b726773698cf4bc94e3e6a6b220ca930996afb30fab7c
AgentTesla
7a1b25d0bdb7a73494ebb70190155a601a982bd248c5ac8b1fe39666b2cb0565
AgentTesla
7c1011ea932942d42054c1b973cdcf765076fae3e6c8483280580f57ac65a539
AgentTesla
978adbd45151d6b915f683cef40113cc2fa08ab0686682b2ce44b9f5b33bb4dc
AgentTesla
e9342d5c2ca95888a7589ef0fa20636b3534e64a8e7b419e772977c04745dcc7
AgentTesla
+ 7'863 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210805-6kaeqv48wj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1
MD5 hash:
c273f926e2a29bd62cc8f27b569a0b2a
SHA1 hash:
e08d302cab3e11d776599a6b0537207fce6f9c51
Link:
https://www.unpac.me/results/bc101185-06da-4ea6-b74b-329067b87a9d/
SH256 hash:
1255332652a98de9072771614a0e6876e09a7b6f22ccf1ce37200d6b793e8b26
MD5 hash:
2bdfefb68786ea3b37ca644240483838
SHA1 hash:
4fd6aeaf18893d66149d57e47a65067d558a5d64
Link:
https://www.unpac.me/results/bc101185-06da-4ea6-b74b-329067b87a9d/
SH256 hash:
77757cf5c336e87ff96f1a2a6fdb0571667050763196a26719d63039dc0338d1
MD5 hash:
440b3015f267e533ba8f06831f8bca6d
SHA1 hash:
1e36a197ab5748a762bb366a80f2de7181a63515
Link:
https://www.unpac.me/results/bc101185-06da-4ea6-b74b-329067b87a9d/
SH256 hash:
6e349d08351d823858f58319874f8b70314b4b20ec746470b1cde7659ca811b9
MD5 hash:
d9ccd8340c326c9eb0e753c9be063682
SHA1 hash:
c1e9235af5520308b861b9218f2938ac8b680933
Link:
https://www.unpac.me/results/bc101185-06da-4ea6-b74b-329067b87a9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e349d08351d823858f58319874f8b70314b4b20ec746470b1cde7659ca811b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176625/

Comments