MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ed53f6643dcd36904ac60d32e8f0966d71bc8445d5295cb0414b7229f1864df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ed53f6643dcd36904ac60d32e8f0966d71bc8445d5295cb0414b7229f1864df
SHA3-384 hash: 101890ea2e9390666e417f1d7dbf549b6947d6133973cb0b4fdd24bc7d9e8a0fe681b8cf274f1dfdaba47d5a184cecfa
SHA1 hash: 993a3d154d982b82cf06cc9bf5ce29128118aed3
MD5 hash: 0c023de3d922fd90f310e6a02fc74d35
humanhash: sink-stream-bakerloo-river
File name:0c023de3d922fd90f310e6a02fc74d35.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:775'680 bytes
First seen:2021-03-10 09:57:25 UTC
Last seen:2021-03-10 14:39:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:OnWmm+3NwEZFsak0tGRgt41Rj+bzwf6p5:OnJm+zTHKgt41Rjms+5
Threatray 3'142 similar samples on MalwareBazaar
TLSH D1F4E0B4F529A272F5247BF9093367BC4A2E2D22D421EB5D3A4972CE21753C044E7E27
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI.doc
Verdict:
Malicious activity
Analysis date:
2021-03-10 08:27:24 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/136d28a4-0f56-4088-aabb-3c3af8d1df2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123562/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.8526.18521.22073.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/634146
Signature
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 09:58:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3kt6zsd3tjwsbfmmdjs5dyjm3lrxscelvjjlsyecs3sfhyymtpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06931cbd1dd5ccb784ad1dbaaf1c7fe4c32e470137101cc559925b4b1ffa0c26
AgentTesla
13c2c8a664f801f6b93ad2df2fdcf8bd5335af505a25f76f1163639fdf6e8b2a
AgentTesla
22c6a5976ce7b78c9fc9be80c53945344670b5df128629f0d1e99d48b2e65121
AgentTesla
5fb48652e5909992ab84d9b849e19aebdef214eba613be1fb18b576ee8dfc618
AgentTesla
63fe4414329ce0fa71954c9d1a65a74d49457844fb1043b104f4cd64c832f84b
AgentTesla
764c908b57db1ff35e465a111999abe7c93cfba38a887dc9eaa7cd9bece27ebd
AgentTesla
886ba6fb5ca14ac0359389fea6cc26a70667a06c61f6498567c2fe6666b750cc
AgentTesla
dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2
AgentTesla
f53664934ab27fc783bb852757bbf36152785b41d5434eba53774050eab19ed6
AgentTesla
fbdbd6b6c6cd7a2b07d771d9969e53689f3601bbf7355ee49138b07511b88df7
AgentTesla
+ 3'132 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210310-ldv4cfvdwj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c05ed6b1a71b0c35427e3a3423db5d59fff0efff9dbb088ea776ad3fe88bcaca
MD5 hash:
4b3d85b7aef0c189beea1df4a8a80052
SHA1 hash:
291845d1d7c5842b2aa67505720b0b4df0dadf52
Link:
https://www.unpac.me/results/5a4788b8-75f2-4ecb-8d54-942c9d6e66c5/
SH256 hash:
ab056bf16edc280df3d80740c132b7b8667ec1f69cb225fac2e3017c2ce5f802
MD5 hash:
7f366007478d26350bc9d2fef6e13f62
SHA1 hash:
921e7a90b22d2d1d6e1691805f1733ab8e04c107
Link:
https://www.unpac.me/results/5a4788b8-75f2-4ecb-8d54-942c9d6e66c5/
SH256 hash:
1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc
MD5 hash:
8f85df46a482b5b068ae7667bf1a33d6
SHA1 hash:
a210d369311aa4d709dc962c634174738576907e
Link:
https://www.unpac.me/results/5a4788b8-75f2-4ecb-8d54-942c9d6e66c5/
SH256 hash:
6ed53f6643dcd36904ac60d32e8f0966d71bc8445d5295cb0414b7229f1864df
MD5 hash:
0c023de3d922fd90f310e6a02fc74d35
SHA1 hash:
993a3d154d982b82cf06cc9bf5ce29128118aed3
Link:
https://www.unpac.me/results/5a4788b8-75f2-4ecb-8d54-942c9d6e66c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ed53f6643dcd36904ac60d32e8f0966d71bc8445d5295cb0414b7229f1864df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 6ed53f6643dcd36904ac60d32e8f0966d71bc8445d5295cb0414b7229f1864df

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1058676/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123562/

Comments