MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eae84ece9518036a2bb762dc2e30a32568e20a1f1f8ce50247310b727389150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	6eae84ece9518036a2bb762dc2e30a32568e20a1f1f8ce50247310b727389150
SHA3-384 hash:	42fc6cbb87db50d25feac7a31b5bd8e193f45c64eb4ae157c299750b2fdf0050e17c7e19c2b823711158278cfe1359f0
SHA1 hash:	b2c6d86f4ce3a277083aabd7841a0dcdfe2535f7
MD5 hash:	0c74e57e89992b44be763238c96d9355
humanhash:	oranges-hawaii-solar-cup
File name:	DHL Shipment Notification Status AWB811470484778202129-pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	755'712 bytes
First seen:	2021-05-05 06:13:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:kM9nevGN9dVxktwU2UJY3RmQLfGFf6Pp6veHfq7eXuu3FZMvTIeSZnZbLDebRWH:kSnevGpVUhJ2LlpoFu3FZPeglKbE
Threatray	4'475 similar samples on MalwareBazaar
TLSH	CBF4224BB5DC29E8C66DC6768C6032502330BE669A1BCE052CC6706849F75079B73FAF
Reporter	TeamDreier
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/149917/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/711499

Signature

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6eae84ece9518036a2bb762dc2e30a32568e20a1f1f8ce50247310b727389150/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-05 03:58:22 UTC

AV detection:

11 of 47 (23.40%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n2xij3hjkgadniv3oyw4fyykgjli4ifb6h4m4ubeomilojzysfia._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

129c12816f1bf3b9b80fc15d4515e5df5cac9b65824f0dff50eade40c2030abb

AgentTesla

12bff015aed1ce1ec23317da40227b2acbe269261870570848192aacc4a6047a

AgentTesla

3ef3019867fc829d59b65a986f05ff1fd21c10f88266d10344d92a738746bb50

AgentTesla

5f9a10a2caebb78a305800c2fd28d3a4a9387a5415df54fbfebf26e2150997a7

AgentTesla

8b3a8630800280cdf3e61243a7343e93a6b54b8a51b859d7d52b7dccaace0513

AgentTesla

8d6923c7b88feaea7b9df935e450e606a112643a1cf0abefcf3b836edfeae010

AgentTesla

909b8077e052b8176a40b50c8154344a720576d7c7e3462d39546cef12d28e07

AgentTesla

99e683680f3f8272b6c3d7d173e7f942c2747336ba3c6e729e00e9d15b743ec7

AgentTesla

a0fc12b65029f2629cf2b7c69c2179c6503a24a6bdabbf21680886c375959efe

AgentTesla

+ 4'465 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210505-gap8h8gc6j/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/588de118-7b22-4214-9c39-c205b2ac0130/

SH256 hash:

6eae84ece9518036a2bb762dc2e30a32568e20a1f1f8ce50247310b727389150

MD5 hash:

0c74e57e89992b44be763238c96d9355

SHA1 hash:

b2c6d86f4ce3a277083aabd7841a0dcdfe2535f7

Link:

https://www.unpac.me/results/588de118-7b22-4214-9c39-c205b2ac0130/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6eae84ece9518036a2bb762dc2e30a32568e20a1f1f8ce50247310b727389150

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/149917/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample