MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
SHA3-384 hash: 751383425b040839285393203e1d47e2cc0f248d0da029ca4148a22ce2027df089178494675d8b214cf3c8a20f68a45e
SHA1 hash: b6ce7d31d77255129e1be820e6982d18cf24816b
MD5 hash: 31314b388f243437c1afccb13ab60a01
humanhash: nitrogen-delta-solar-texas
File name:Sales Order PO34718.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:669'696 bytes
First seen:2020-10-22 06:09:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:msk9A1GKZHNYPzodSeHHHVtDOn7R+tvFF7mnc7t6JwqF5MAGWZ:9sA1GUKzodSenHVqR+2W4MA
Threatray 711 similar samples on MalwareBazaar
TLSH 0CE4125471AAB762D2BE0BFA232C00169BB1845F6373E3641DE37BE66562B040F94E53
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: m.dada@alhattabcontracting.com
Subject: Sales Order PO34718
Attachment: Sales Order PO34718.arj (contains "Sales Order PO34718.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74451/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.14815.157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506613
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302478 Sample: Sales Order PO34718.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 11 other signatures 2->57 8 Sales Order PO34718.exe 6 2->8         started        12 YYtJku.exe 5 2->12         started        14 YYtJku.exe 2->14         started        process3 file4 43 C:\Users\user\AppData\Roaming\iLNLHaaz.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmp8869.tmp, XML 8->45 dropped 47 C:\Users\user\...\Sales Order PO34718.exe.log, ASCII 8->47 dropped 67 Injects a PE file into a foreign processes 8->67 16 Sales Order PO34718.exe 2 5 8->16         started        21 schtasks.exe 1 8->21         started        69 Multi AV Scanner detection for dropped file 12->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->71 73 Machine Learning detection for dropped file 12->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->75 23 schtasks.exe 1 12->23         started        25 YYtJku.exe 2 12->25         started        27 schtasks.exe 14->27         started        29 YYtJku.exe 14->29         started        signatures5 process6 dnsIp7 49 us2.smtp.mailhostbox.com 208.91.199.223, 49712, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->49 39 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 16->39 dropped 41 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 16->41 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->59 61 Moves itself to temp directory 16->61 63 Tries to steal Mail credentials (via file access) 16->63 65 3 other signatures 16->65 31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 17:24:53 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3hnkhu6t54y46lcogemnebgubvfoybb2ejmroko2ul7ev3lacpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675
AgentTesla
19cb1d89fb670dd31ceae6e0c41ffcf47767f6b3779804841f7aaf75adcd028f
AgentTesla
295cd8c1062fecbaf17dd0095897fbdca561bf28616a08190a47adfb68e7c10d
AgentTesla
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
AgentTesla
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
AgentTesla
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
AgentTesla
90c99275bfea4f4084d07b4a0a044f81e6c9fbe19fba688a7fe8a0be46004acf
AgentTesla
c2ba3a95fddac0ef23badcc972a977cb385c87946ae87816ccdc76358b7183e6
AgentTesla
ef0c2ed8513696cd7e1906a3d0e4ec4756078edcf1d0682d23e9f945d178f3dd
AgentTesla
fea590dbb8987a6358d6708c5728826c5dc44c943ff4145ab1bc6d110c03e13c
AgentTesla
+ 701 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201022-98metacplj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/644d193b-8bee-42cc-bc37-69661b82b640/
SH256 hash:
9a0850b323e37fbeeb2672afd984ca8e7971a55a0ae5cafa3a719c9447d65d83
MD5 hash:
653a1f31ac2c985edcc8df64ffe9f8b1
SHA1 hash:
a7ac25454184f1b8d5d0c00c8ea5fe0634f43cf7
Link:
https://www.unpac.me/results/644d193b-8bee-42cc-bc37-69661b82b640/
SH256 hash:
45f5eedf54db0e733d41240cb1a1df67008eda0ddbbe22e4f14c60f65dd3eb56
MD5 hash:
0eefd3c5290f9eb63913e70d8104fce9
SHA1 hash:
de6c74cd49344562ec836995019e342a9fb49ad0
Link:
https://www.unpac.me/results/644d193b-8bee-42cc-bc37-69661b82b640/
SH256 hash:
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
MD5 hash:
31314b388f243437c1afccb13ab60a01
SHA1 hash:
b6ce7d31d77255129e1be820e6982d18cf24816b
Link:
https://www.unpac.me/results/644d193b-8bee-42cc-bc37-69661b82b640/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 45fcf21f61fa5a09ba1981a71995a6180731378ab04cf1de72953455711e21a9

AgentTesla

Executable exe 6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f

(this sample)

  
Dropped by
MD5 a0a740b6dbf5fc0ce336d7dd0272481f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 45fcf21f61fa5a09ba1981a71995a6180731378ab04cf1de72953455711e21a9
Cape
Cape
https://www.capesandbox.com/analysis/74451/

Comments