MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1a6c554cefde94f01c1a31fc95e387d77314de1e9168e444d3f84eb64b04692. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	a1a6c554cefde94f01c1a31fc95e387d77314de1e9168e444d3f84eb64b04692
SHA3-384 hash:	6a17c586c85a04bd0e79d8c0c357e1ef620cc70c9e6350363f78fbb7d39b843f8bb2205817f6673e539b7e7040d4ab58
SHA1 hash:	65a307f9d50f45731b846c55a7e060096dafce02
MD5 hash:	be3f5ece0a491bfa8e698bf536a4518e
humanhash:	alaska-pennsylvania-three-butter
File name:	NEW ORDER GB98759^Docx.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	325'632 bytes
First seen:	2021-12-22 09:08:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:/6ZeyWvCiBDK8vic7Xlaze4xg0kQyR5UUn3/LlJ3KY6CviSwfmkLde21:CZEvn9jlse0Fysq5J6dCviSwfm4
Threatray	13'546 similar samples on MalwareBazaar
TLSH	T16764AD9D3210B6DFC86BC476CFA81C74EA61747B531B9213A45316EE9A1E89BCF140F2
File icon (PE):
dhash icon	8ec272daccc6e273 (15 x AgentTesla, 5 x AveMariaRAT, 1 x RedLineStealer)
Reporter	TeamDreier
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW ORDER GB98759^Docx.scr

Verdict:

No threats detected

Analysis date:

2021-12-22 09:12:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/efc16403-126d-4fd3-9736-5c13d4b0b2c4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/215754/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61c2eb338991ba72b391aeb3/reports/553e082f-d4b0-4c7a-97ba-3f6f9a7b10b1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dynamer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e5fe9b64-e600-4cb9-8d90-b5e5c64ac6bb

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/911432

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Obfuscated command line found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1a6c554cefde94f01c1a31fc95e387d77314de1e9168e444d3f84eb64b04692/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-12-21 11:07:48 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ugtmkvgo7xuu6aobump4sxrypv3tctpb5eli4rcnh6cowzfqi2ja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

30bdd664f7e71f26f994499375294d5f204c69dce5efad7ba8e03e7f7e74eeed

AgentTesla

3a65563682d5f974fb3f64cbc099a9c2077498245cf82b7b0e218685696344d1

AgentTesla

509ae0f76df3434c96b8ac3d54bda6d2c026602b983c655c54ff548c22a1fd93

AgentTesla

57b41f4b28beb37f911a1d4d66642b8ed5f629cde068bdfdad6e48c41550b51d

AgentTesla

746c7b9ef2af8d9fd8aab245cdd5fe9af49144766040223a77e4f6d87a12658a

AgentTesla

78d9ca06a7edacc70dacf6967f4f35c6bdd8f94f30f6c5cfbdbeb250f91907b2

AgentTesla

961b0d1fdca9f4024ac4a3a8d90227433276a7f0e204d0aae55291fa98006284

AgentTesla

b7ee9dc9f6aabd03f2d729d3bc0a1af443079bbe5c6c135f1cb61a07b26e7dc0

AgentTesla

be1028b0b899c7aaba1312bc9cfd13e83fd592d2a89691ade180e97588f24a30

AgentTesla

+ 13'536 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211222-k4gassfbf3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

Core1 .NET packer

AgentTesla

Unpacked files

SH256 hash:

a1a6c554cefde94f01c1a31fc95e387d77314de1e9168e444d3f84eb64b04692

MD5 hash:

be3f5ece0a491bfa8e698bf536a4518e

SHA1 hash:

65a307f9d50f45731b846c55a7e060096dafce02

Link:

https://www.unpac.me/results/c6e1d6c8-fda7-495e-85ce-100d2d1e8f87/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.66

Link:

https://yomi.yoroi.company/submissions/a1a6c554cefde94f01c1a31fc95e387d77314de1e9168e444d3f84eb64b04692

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe a1a6c554cefde94f01c1a31fc95e387d77314de1e9168e444d3f84eb64b04692

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/215754/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample