MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5
SHA3-384 hash: 692d4d97e9854bc0c43dc2d98cbf2d148a72ab46907849273e75c48cd9317f80a0ef544807d2884940e3342edc919aa0
SHA1 hash: a3e2500914a65c6a885da250852c72cd10cca0b8
MD5 hash: 8ad3308a019c5aa5d075ca0786d9bcc4
humanhash: solar-friend-eighteen-magazine
File name:drawings-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'905'088 bytes
First seen:2021-05-05 05:41:49 UTC
Last seen:2021-05-05 07:12:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:NWlCZ1jqcjMs1mhJT5+G1eVNeMegrGeDJySRROA+YIJxFHgFVQaQDggDQUuLAwc+:N
Threatray 1 similar samples on MalwareBazaar
TLSH BCD5C96574FBAAADBBF7FF08918D80E21813FE945D3C7521239925260296A41DCF0B3D
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149902/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.29.18243.15807.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/711444
Signature
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404648 Sample: drawings-pdf.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 72 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AgentTesla 2->23 25 Machine Learning detection for sample 2->25 7 drawings-pdf.exe 4 2->7         started        process3 file4 17 C:\Users\user\...\drawings-pdf.exe.log, ASCII 7->17 dropped 27 Hides threads from debuggers 7->27 11 cmd.exe 1 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started        15 timeout.exe 1 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 02:47:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3cl56qythszyz4sxbytikaaobnc6yyo44vaj3jldsofznu3idsq._file
Verdict:
unknown
Similar samples:
04c9ccc533b33d9eaa98a4f82f32bcd142c1228492d195ab5335c094643b7a7c
AgentTesla
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210505-bv1jvz5dn6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
42bfe5672507d7a69226d46b672e13fb2152d36c3085ef9d7ca3db01336c1f59
MD5 hash:
d4f7514b10f78dddb9db313c33285ee3
SHA1 hash:
8c41a81db24a127ba47cbc08155f445b163e3f33
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/8fb8a0cf-6720-4a12-bf72-b4f1db42c222/
SH256 hash:
53e57a35e039e5fa9555f320c12a0877758feb669827a441f6c92d13ce8e4264
MD5 hash:
9b13af7530949cb7858f7fef747868e7
SHA1 hash:
7e8d02e7121fc6c73e133277a8ae61bc25bb1b97
Link:
https://www.unpac.me/results/8fb8a0cf-6720-4a12-bf72-b4f1db42c222/
SH256 hash:
b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5
MD5 hash:
8ad3308a019c5aa5d075ca0786d9bcc4
SHA1 hash:
a3e2500914a65c6a885da250852c72cd10cca0b8
Link:
https://www.unpac.me/results/8fb8a0cf-6720-4a12-bf72-b4f1db42c222/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz bd66495f080f351bee31c00597dc436e737bbe2468bded6b4313085dabeb4eb0

AgentTesla

Executable exe b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 bd66495f080f351bee31c00597dc436e737bbe2468bded6b4313085dabeb4eb0
Cape
Cape
https://www.capesandbox.com/analysis/149902/

Comments