MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f07e71a7eadd665356c0666a30eb8dfcd0e59bfb869b7a8e2a107db75d55877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	6f07e71a7eadd665356c0666a30eb8dfcd0e59bfb869b7a8e2a107db75d55877
SHA3-384 hash:	dbef3231910d27e54e1e4bb9abb7f557a25b124ca3035b9b9f23186a91ee4e359d66b6a2c68c792ead1420d14635f511
SHA1 hash:	5b0f5f4fb7d68878b743d8de0afa88cd4e7e47bc
MD5 hash:	aa7e022f0fe5d446647cc2cc9c995a47
humanhash:	william-whiskey-venus-bacon
File name:	aa7e022f0fe5d446647cc2cc9c995a47.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	527'872 bytes
First seen:	2020-12-18 09:24:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:iv4DPeaVwubqEus5tDBs6rx4nBtESP0QWHhSN0c0B:RSBERDuNn78QWFc0B
Threatray	1'897 similar samples on MalwareBazaar
TLSH	1DB4E13222507B66EA7D0FF4D01125404F746F6B6632E54EBC8110DE26BFB34BAA5E63
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla FTP exfil server:
smail12.linkpc.net:21

AgentTesla FTP exfil user name:
control

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aa7e022f0fe5d446647cc2cc9c995a47.exe

Verdict:

Malicious activity

Analysis date:

2020-12-18 09:30:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a8304c0e-c9c1-4921-a381-9fe7342570de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108357/

Detection(s):

Win.Dropper.Nanocore-9809613-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/566174

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f07e71a7eadd665356c0666a30eb8dfcd0e59bfb869b7a8e2a107db75d55877/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-10 13:06:59 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n4d6ogt6vxlgknlmaztkgdvy37gq4wn7xbu3pkhcued5w5ovlb3q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0b0497a471a34be0ac2c4719719527d6a73b4a0ad0d7b8f43d9c9af5119ce9cd

AgentTesla

261036c3c84844bc59b94e39261363d6d9443350e27e1fd4fa8e7716ab6a2e83

AgentTesla

7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c

AgentTesla

9634cf79c1254f6eb68967cc89267c50513f9df930c15bdcc77bbd1fa1b5add6

AgentTesla

c5c5950509109e01461d9a3779f6ff994b755f4f995c241c1d0e9f775df867c6

AgentTesla

d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16

AgentTesla

d9b7bb2c86f319f087b2e08d9097639b134acff8298e28a736a103e4eb3a6cbf

AgentTesla

dc4703df57c6fd50a74396618bc4f9da307e530c8469a0418667a26d24749684

AgentTesla

ef9af7994d5d9ac283134b522ae1e1680eecee19974bf717fc5cb50d69b5d371

AgentTesla

+ 1'887 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201218-34beay9d6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

6f07e71a7eadd665356c0666a30eb8dfcd0e59bfb869b7a8e2a107db75d55877

MD5 hash:

aa7e022f0fe5d446647cc2cc9c995a47

SHA1 hash:

5b0f5f4fb7d68878b743d8de0afa88cd4e7e47bc

Link:

https://www.unpac.me/results/fa8fc3cf-f8b6-418f-8b03-b35288f0ce8b/

SH256 hash:

c20b20b3b37c7a2b47ecfbab5b3fd35f3497c57b7c875fdab8205af1d4db7e00

MD5 hash:

ea0804fbe3425f7f87d4a57b6a291a2b

SHA1 hash:

0a610772c096c271bd98e1f4cd99282ec755f362

Link:

https://www.unpac.me/results/fa8fc3cf-f8b6-418f-8b03-b35288f0ce8b/

SH256 hash:

5660b0f32c656ece2f1eecbf6f9593b1f295eebe324804fb9d36dc6bb4b03b84

MD5 hash:

626fcaf2b8d7a9229d8af7acd95d16a8

SHA1 hash:

166d451363134ab7f2159fc523dd35dbb63f04d3

Link:

https://www.unpac.me/results/fa8fc3cf-f8b6-418f-8b03-b35288f0ce8b/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/fa8fc3cf-f8b6-418f-8b03-b35288f0ce8b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6f07e71a7eadd665356c0666a30eb8dfcd0e59bfb869b7a8e2a107db75d55877

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/108357/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample