MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f6c89a2569d5cf213a0cba5a78eef2d116a0325a6128190a3832f74f9df887b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f6c89a2569d5cf213a0cba5a78eef2d116a0325a6128190a3832f74f9df887b
SHA3-384 hash: 8639e0c937cd5a9cd60f014436f0809085fe99cef153b9a30130d2bf3ac207f077c3aff5e228281480e8a58435fb2d08
SHA1 hash: 281d0493bfcbb5e78e08f55280cdd8d65331bfd7
MD5 hash: 0214d60a17475c87f452fe01b6a1472d
humanhash: fourteen-early-wisconsin-pennsylvania
File name:RR20NK03012 copy.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:821'760 bytes
First seen:2020-08-12 15:41:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca8a968818883f4b47dacd6943e1ee04 (3 x AgentTesla, 2 x Loki, 1 x Formbook)
ssdeep 12288:w13XOoKnE7J93PUtFiMx56Vnh+23dOEhYkvEPlVSXWfhjxj2joKnRtHqb:Ue87J98ii6NY+9gNEmTEoKfS
Threatray 11'722 similar samples on MalwareBazaar
TLSH 4F05AE22F3D05933CC67153D9CCB5774A82DBE11EA689A862BF51C0C8E3968539392DF
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: alkuhaimi.com
Sending IP: 45.153.241.51
From: Accounts Department <rud-division@alkuhaimi.com>
Subject: 首款交单资料--RR20/NK03012(ICBC) (The first bill presentation material--RR20/NK03012 (ICBC))
Attachment: RR20NK03012 copy.pdf.z (contains "RR20NK03012 copy.pdf.exe")

AgentTesla SMTP exfil server:
mail.redwevamaldives.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44286/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.28221.1486.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/423106
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f6c89a2569d5cf213a0cba5a78eef2d116a0325a6128190a3832f74f9df887b/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 15:43:05 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5witiswtvopee5azos2pdxpfuiwuazfuyjidefdqmxxj6o7rb5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
07b327461738337cd0b7f35dd60115e784b779194a014e2125eb5a3d2ad0451c
AgentTesla
27d6e0aa8a7734ceaf0872c545900c87d83bc2955927ba3d0d34739f4d653291
AgentTesla
48a05e42214277f9a4fe66017f03cce54570e22aab74cc8aa7e0a66ec4d3d4d3
AgentTesla
676867153d6ee1465a298e33b59142e1706eb01e0cdf7a7cb829535195b71f0b
AgentTesla
79b1e929f10bf44515921941df55c5d98f5cf82b2be8727c2ebb4291e664de81
AgentTesla
8c597485c8789aeb7f4edef9a49fc83a39346ea4d9f31f51b92f27b77ed8af0d
AgentTesla
a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034
AgentTesla
aaf7a834529623fa776d9574d7026a9a40148fec3b8d598e8e8dfced91973760
AgentTesla
ab51f40ae7b2df2020a33ea8096e84eca86cb5b1eea1d18b2f2fa6b6360c1388
AgentTesla
eda8f8050e6734ff91e0c51870b8d02977546fae360385c9c398c95d9fee6be0
AgentTesla
+ 11'712 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200812-t8k2p37gd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f6c89a2569d5cf213a0cba5a78eef2d116a0325a6128190a3832f74f9df887b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z ec8647b4b366e0501c5ebf5a7b21cce13ef42303d5681fa06b5a1b3180fc77fe

AgentTesla

Executable exe 6f6c89a2569d5cf213a0cba5a78eef2d116a0325a6128190a3832f74f9df887b

(this sample)

  
Dropped by
MD5 b667e44ef2511463667da29411e92978
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44286/
  
Dropped by
SHA256 ec8647b4b366e0501c5ebf5a7b21cce13ef42303d5681fa06b5a1b3180fc77fe

Comments