MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fcca7d4771894d9ef0df099f61eba0e2c4a6f46a3aa316829e2ff67e133e958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fcca7d4771894d9ef0df099f61eba0e2c4a6f46a3aa316829e2ff67e133e958
SHA3-384 hash: b4e345cd54e7106dec2ed73d97963fc5a9bda7de6696e8420aae872c12ee9a29b12f18e30081903c4f8850773f6cc022
SHA1 hash: 89819320fa9f538dd551702cf23a7fe1d1111bbf
MD5 hash: a4ead0b608246f2df5dfc1142df7936e
humanhash: west-sweet-carbon-december
File name:TNT Shippment Documents_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:464'896 bytes
First seen:2020-09-30 08:22:53 UTC
Last seen:2020-09-30 14:05:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:mDqFCI0dKP2BgdyQ6qJQs6Xv33Yd8pa3DHSNeI7sW2RoG3292EwA/trYh7+sYuxS:meIQy8CvED2MIj2R/3Mw6JYNx4vVf
Threatray 227 similar samples on MalwareBazaar
TLSH C6A4D02122D44763E0BAEB78242DCC1047F3E51BD32FEE18FEA5D4790B2FB518666646
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67048/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.1230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/478112
Signature
Disables Windows Defender (via service or powershell)
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 291506 Sample: TNT Shippment Documents_pdf.exe Startdate: 30/09/2020 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AgentTesla 2->36 38 Yara detected AntiVM_3 2->38 40 8 other signatures 2->40 7 TNT Shippment Documents_pdf.exe 1 6 2->7         started        process3 file4 32 C:\...\TNT Shippment Documents_pdf.exe.log, ASCII 7->32 dropped 42 Disables Windows Defender (via service or powershell) 7->42 44 Injects a PE file into a foreign processes 7->44 11 TNT Shippment Documents_pdf.exe 7->11         started        14 powershell.exe 25 7->14         started        16 powershell.exe 22 7->16         started        18 12 other processes 7->18 signatures5 process6 signatures7 46 Installs a global keyboard hook 11->46 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 9 other processes 18->30 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fcca7d4771894d9ef0df099f61eba0e2c4a6f46a3aa316829e2ff67e133e958/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-30 08:24:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7gkpvdxdcknt3yn6cm7mhv2byweu32guovdc2bj4l7wpyjt5fma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16d026f0d1866dc8e6cc6ae6d3db171c7b339b9bbdde6fb28d0ee6de633d71b3
AgentTesla
6beff4ded7f127b4525fbd2c5ae4894b5f525b8c143814108830e26b9c9a9ec3
AgentTesla
be2763ce4e6c5c6a228efc795006966af947a33bb7992121d9f139f161f7ab15
AgentTesla
c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818
AgentTesla
c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0
AgentTesla
cf6f2cd62d7af0433fb12b090fa9f761d272b74606bbe78bb1d939ef5c48d89d
AgentTesla
d3345db33851543b968f728d2a342c49dc72b0dc633da851518d8585e53af3ce
AgentTesla
d7f3cc72163e809b398c83abb04b237d3f900fee8886e862995a2e5995c3d627
AgentTesla
f12f4b781bf840c73392ff9ff9562bf099f8843a7274f674571d41fb0bdee151
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 217 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200930-tcbx3fa736/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
6fcca7d4771894d9ef0df099f61eba0e2c4a6f46a3aa316829e2ff67e133e958
MD5 hash:
a4ead0b608246f2df5dfc1142df7936e
SHA1 hash:
89819320fa9f538dd551702cf23a7fe1d1111bbf
Link:
https://www.unpac.me/results/3a8a0cad-ade8-4875-aab1-55d492299bb1/
SH256 hash:
fd8369723b0fa257c4185d9cd27b3c25793c8ebfe40a896ece8b8df751dd98f2
MD5 hash:
087ed9d0341eaa4be98a3ec631838995
SHA1 hash:
11435905e1303612c35ba9fb7808df823b54c4ef
Link:
https://www.unpac.me/results/3a8a0cad-ade8-4875-aab1-55d492299bb1/
SH256 hash:
f435d5367695827875834e913d895da1190e69066ab676933f7783b6109be736
MD5 hash:
360af0517a1b9969cdbb47c029900e52
SHA1 hash:
1ccff135b018d1abd58c69d316526b5dfe6eaf06
Link:
https://www.unpac.me/results/3a8a0cad-ade8-4875-aab1-55d492299bb1/
SH256 hash:
9935ba8ecc8473f274835a59d0c854e7b4a59fbceb4e7892a43a7275af63a15b
MD5 hash:
a4fcd31531a65636b4c0c7386ea3425a
SHA1 hash:
9808a6501030f44b3afa94b6f790c639edaacb5f
Link:
https://www.unpac.me/results/3a8a0cad-ade8-4875-aab1-55d492299bb1/
SH256 hash:
785261875049471f6432827571071af39fdb06ec0a223224c12792201a9f66e5
MD5 hash:
e41b095949e16c551511c80acfc18ac2
SHA1 hash:
c1c9299481d8604297151f48ac8c790c9e920504
Link:
https://www.unpac.me/results/3a8a0cad-ade8-4875-aab1-55d492299bb1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fcca7d4771894d9ef0df099f61eba0e2c4a6f46a3aa316829e2ff67e133e958

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f08e7b6b2bb27a4345043ce2817ecd256914cfa53db6154ec1645cc0d24c8f46

AgentTesla

Executable exe 6fcca7d4771894d9ef0df099f61eba0e2c4a6f46a3aa316829e2ff67e133e958

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f08e7b6b2bb27a4345043ce2817ecd256914cfa53db6154ec1645cc0d24c8f46
Cape
Cape
https://www.capesandbox.com/analysis/67048/

Comments