MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f3a65eb596bf237c3aa6d02f1c22cfc1087e03904c6fab5fe86ea45e0463f4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f3a65eb596bf237c3aa6d02f1c22cfc1087e03904c6fab5fe86ea45e0463f4d
SHA3-384 hash: 0e078ba75cc7ab69b0eb13f11f7d936adcd9941c65baef0512e232a2751482df07bf363b8a7850a89ed4a983089d14fd
SHA1 hash: 83a1400fadb072b20fbdaa89b1a1dc0e74b7b4cf
MD5 hash: e956ab0cdacb3c09920c58efa0adc72b
humanhash: connecticut-uncle-seventeen-alaska
File name:gunzipped
Download: download sample
Signature AgentTesla
Create hunting rule
File size:842'240 bytes
First seen:2020-06-15 12:00:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66065bfa6851d704157ac187a0c7b964 (14 x AgentTesla, 4 x Loki, 3 x NanoCore)
ssdeep 12288:GYHdm1fBr+IwICEMytGbPGcbXDbE1Qla6RgVcP/7kvDxul+IgJLeyxCT/V4zYdLv:GyAiIlCPtfIv9XlJl0i+
Threatray 11'799 similar samples on MalwareBazaar
TLSH 0E05AF22E2E04437D0731A789D1B6E789C29BD1929E8BF4677E4CF0C5E356B03935A93
Reporter abuse_ch
Tags:AgentTesla DHL


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 35-168-85-129.plesk.page
Sending IP: 35.168.85.129
From: DHL Global Mail Inc © <bdcare@dhl.com>
Reply-To: Costomer service <ricknicolas.aol@hotmail.com>
Subject: DHL Shipment Notification Ref ID: 44633179800
Attachment: Shipping Document PLCI_PDF.gz (contains "gunzipped")

AgentTesla SMTP exfil server:
mail.missingandfound.com.my:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10328/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.CryptInjector
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 11:19:27 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n45gl22znpzdpq5knubpdqrm7qiipybzatdpvnp6q3velycgh5gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
26767417c2969ff77af7a5eb1c72747b5e99dbb7c2fd4ec5c76f59dff4cc5f05
AgentTesla
27acf46938632a2dce525dcb8a6e131473bf2d54066de1fd68ee49558547c434
AgentTesla
3507295ed63c79c80e99d9e24b689d6e2853f59ca6f9988ba4635a25b1c4b322
AgentTesla
6b85aba8655a2f157a474bf452f707a27010fb66651c8ec1652d94587c24f86a
AgentTesla
7c69003f46210e2d3e2e23476883c1f22d8b1997a0a3927d726e83f49ed19344
AgentTesla
8d692269e00163075c2d1bdeea0d8fe0ebb06c791233f692fa76e766095ec3ad
AgentTesla
9426eff06a9e6de76b0168a39d457eebc368318ba1c468c8e6b04fe6f7b64b04
AgentTesla
a9a23a0d9df00e223a3c3b5c9ab750ae576b3217752e7a054435291b4d10a970
AgentTesla
b2c27e47afb94c3bebf71559a6fd0195ad330f4fb126bf7a2002c6c1ba995dd4
AgentTesla
fd54073286010523ef59ce428c3ae8b92f87abce1027ed232befe46499bf5e53
AgentTesla
+ 11'789 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-gch4akgjhs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 5f723675c1560d9dfc9b857a638f273b8446bb6028bf01b4a5906e21c9ef9740

AgentTesla

Executable exe 6f3a65eb596bf237c3aa6d02f1c22cfc1087e03904c6fab5fe86ea45e0463f4d

(this sample)

  
Dropped by
MD5 cd1ccdf7559d088f78fce7f84c1b5c9a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5f723675c1560d9dfc9b857a638f273b8446bb6028bf01b4a5906e21c9ef9740
Cape
Cape
https://www.capesandbox.com/analysis/10328/

Comments