MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f0c4fde6a68ef453982bb4958cb5d571cf45179b2bc623fa4cc9a8f69f85823. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f0c4fde6a68ef453982bb4958cb5d571cf45179b2bc623fa4cc9a8f69f85823
SHA3-384 hash: 517a39b7c2a27de6632f23f223c0c07412ccee57fa212ad0607ce425e8fcf9f57d7a10af08a01c14de460e24beed4f16
SHA1 hash: 9b9006a0338d9a173e77b8ef5359e0341239b126
MD5 hash: 4b55159bed167b70cddbb20de7a0ae4e
humanhash: harry-spaghetti-moon-nebraska
File name:Pictures_logo jpeg jpeg jpeg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:263'264 bytes
First seen:2020-10-13 07:54:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:N7GHdnN3pEwcpb/apGW7I82jJ8CR1RYQHv7LpJDJQ+TZ8hywxGKnEgh4CvGxZrhQ:NGVN3rChl8avp5JhN8hywYgEhCO/NQAC
Threatray 506 similar samples on MalwareBazaar
TLSH C84471547107BC0BDDB90A741871C48626F6ADF2B7E0C6B86CD0A7CEED86554BA0ACDC
Reporter abuse_ch
Tags:AgentTesla exe Yahoo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic305-22.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.185.148
From: benco incorporated <dougles_g_russell@yahoo.com>
Reply-To: bencoincorporated@yahoo.com
Subject: Fw: latest PI
Attachment: Products_Pictures_logo_Designs_ pdf.rar (contains "Pictures_logo jpeg jpeg jpeg.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70333/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44054833.25050.16422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/489371
Signature
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f0c4fde6a68ef453982bb4958cb5d571cf45179b2bc623fa4cc9a8f69f85823/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 22:12:50 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4ge7xtkndxukomcxnevrs25k4opiulzwk6gep5ezsni62pylarq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
264ad4ce9b883fe3ff074ec43f796c1a496da7647bad4bd70c3c905b2dc22711
AgentTesla
2f02f87bd00996719cd97c827f1bd4578033a03d7e3884ec18ec0eca32cee516
AgentTesla
35767d6d20ce62535abc0c0cae7927e52a7585d400f2836954d9b086ecf136bf
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
44c8acbbe1fdbcab7397c03bc91d5d3f440ec11f6358974e4bcc27ee28a4b838
AgentTesla
493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927
AgentTesla
649dc91d888b7981f2a39afb3d6810689fa7ea3b3d21f46274b0cc7f0c31ea2d
AgentTesla
757d376a5edc5d260ab3fb209797dbbdf3ce43f6331432174b1398f14e723e20
AgentTesla
f4468ef3eb4ae6445b097b0200d918ae0e1bba94b8c4c613031e2aab32c9f083
AgentTesla
f924ed04e2ce70872e8e341379288a15579ade521df2e4d248054fe2d9357ee2
AgentTesla
+ 496 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence keylogger trojan stealer spyware family:agenttesla evasion
Link:
https://tria.ge/reports/201013-mldmcpjzqs/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
6f0c4fde6a68ef453982bb4958cb5d571cf45179b2bc623fa4cc9a8f69f85823
MD5 hash:
4b55159bed167b70cddbb20de7a0ae4e
SHA1 hash:
9b9006a0338d9a173e77b8ef5359e0341239b126
Link:
https://www.unpac.me/results/2874dfa8-9576-45e9-b78f-87624583b3df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f0c4fde6a68ef453982bb4958cb5d571cf45179b2bc623fa4cc9a8f69f85823

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 89e2021ab6fa9ec200cf0944db86008d8fee7dd6ff60f2d040665f4bc6dd2a29

AgentTesla

Executable exe 6f0c4fde6a68ef453982bb4958cb5d571cf45179b2bc623fa4cc9a8f69f85823

(this sample)

  
Dropped by
MD5 250f06ae1d8b19ad6059ab9dd54a7a6c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70333/
  
Dropped by
SHA256 89e2021ab6fa9ec200cf0944db86008d8fee7dd6ff60f2d040665f4bc6dd2a29

Comments