MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408
SHA3-384 hash: e803d85826649d3101c371f91827190dcf488f33a9887df70a32d987caf6dfa61e14a1f090350e1b4948b92f70cf6ff1
SHA1 hash: 95904afa853d4b821303079be70503415dda064a
MD5 hash: 635a2431cd3ecf11cd1f6fe801901a58
humanhash: muppet-pennsylvania-high-jig
File name:file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:497'664 bytes
First seen:2021-05-26 17:38:02 UTC
Last seen:2021-05-26 19:12:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:55xvY1N4oE8ysON6lNlr5RBlqaYyGM0SZ6:5E1NhE89OOr5DlrYyGMzZ
Threatray 5'336 similar samples on MalwareBazaar
TLSH C0B4D0AC13A85631C5EE1EFD477053D8463DE932242DDA0BECC5A1BA983D7454F3AA23
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-26 21:24:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9cdcaab6-1ceb-48a2-baaf-a102b6b3c5b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162527/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36971900.31647.16970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792809
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 01:14:37 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3vfs6ofib34h3zi6cuzad6yo6nbv3xjivvoyglyzgswi4qemqea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0063947555fada876477c4e186d19517a3894d56153477590b0d6367ec80fe2d
AgentTesla
3cb19f648096769ee0a5c8e75baba67896e6c59145e3bb18ce059f34c31e73bc
AgentTesla
6c43ac41372f9ff91e47ffa81a9c086e16cc32014d0b6f7c4571fa31a8fecd3c
AgentTesla
77eacae1a82febc29d17db391e272a92f94be83374a8e98f5447da680c011a0a
AgentTesla
865be6910571e1334ef42b0396a44f76c45ad6048132da31f5599fe2dcfa2081
AgentTesla
acc4f3dec5d471c28db29b9e7877fa419d157ebaa44b51039fbae33d6e33ca02
AgentTesla
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
AgentTesla
b8d6bb6bd781ada88943e09cd8f1ebf4f68fd17732aa1edadacc83b50ea21a07
AgentTesla
cf2c412bab676e1a08e97f155470a4722a20350f3bd7a4a636a31e24dac6324a
AgentTesla
e4649c6b74b9494074c6020ba5e73d1253ed1929146135f4e9dbc48da6ace470
AgentTesla
+ 5'326 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210526-6phv2mme8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/162527/

Comments