MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e6023d1b3b0d62b6d20825ab7a993c3cda55051d56b42bf40db27fdab761b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e6023d1b3b0d62b6d20825ab7a993c3cda55051d56b42bf40db27fdab761b0
SHA3-384 hash: 76da32aabd53034ec74dc71f086c07f237781415c946cfef5d13599b768007b5d338ce1bfa683edd21464556d84fc171
SHA1 hash: 8434a7cec087f3d4959a69c9d1edece90f7a403c
MD5 hash: 9e11fb8e16efdb52c21e70817816173a
humanhash: cardinal-eleven-illinois-mexico
File name:PO_287104.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:637'263 bytes
First seen:2021-04-02 09:01:52 UTC
Last seen:2021-04-02 09:55:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:09X0G5o8yaWXrivRM7YZ/XJrEWKmG1mmQKCbZB90ns55bPwfqXX7kAsyKaF:60sI89BrBKmfKCF/0svAqQpvY
Threatray 3'978 similar samples on MalwareBazaar
TLSH BCD4F9D1F150C8DAED6B09F1AD2BA53024D7BE9C94A4410C56ADBB1B76F3342209FE1E
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_287104.exe
Verdict:
Malicious activity
Analysis date:
2021-04-02 09:14:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c688a277-6318-4f0d-9678-e40b00eee54c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/131645/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.1376.25209.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Sending a custom TCP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c415f22e-6109-4689-b53e-1c2ee741157a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/663522
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b6e6023d1b3b0d62b6d20825ab7a993c3cda55051d56b42bf40db27fdab761b0/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 07:58:49 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3taepi3hmgwfnwsbas2w6uzhq6nuvifdvllik7ubwzh7wvxmgya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b059ab1c0eca910c2882e26ac6f2e8ab795f0749294dfff4af528cb788d2d47
AgentTesla
3332ae8c0f7892922ad49600076bf9f76080ce02a6071be444299815f26c66db
AgentTesla
542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def
AgentTesla
62e4849bf2b02dd9508f6db60bc9f0d0e982ddfb607b9816e4a777c8cf5542ec
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
9dbd31bbb8546392e2d60247f5010a176ff2625a0bbb626476b7f4c15625fb5c
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
cc3bb45f7ae048de5c4a33a22f97d7e7e4b592a990bfe403606c2627cf441b02
AgentTesla
d86e152d1a1ed576cf10f18573fc08868ec938fbb655d38d23aebddbfe1bb323
AgentTesla
e41c50d817a963a03c07188bda3e42f164f1ce189f2875dc7f5125594d4ec159
AgentTesla
+ 3'968 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210402-wfr8fcrszn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ee9a39b0eca19b86084d3232ad34ec426d5373e357826142a4698a5edca7f136
MD5 hash:
affead08b31989c2d430065a014f0e02
SHA1 hash:
7c23d774cfbc51c14368cbaed7334bda1fbb859c
Link:
https://www.unpac.me/results/5c64d627-ce85-4580-b4ad-b4cf0c39b865/
SH256 hash:
b6e6023d1b3b0d62b6d20825ab7a993c3cda55051d56b42bf40db27fdab761b0
MD5 hash:
9e11fb8e16efdb52c21e70817816173a
SHA1 hash:
8434a7cec087f3d4959a69c9d1edece90f7a403c
Link:
https://www.unpac.me/results/5c64d627-ce85-4580-b4ad-b4cf0c39b865/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6e6023d1b3b0d62b6d20825ab7a993c3cda55051d56b42bf40db27fdab761b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 06a7a27bb885699c587413d9c640c761b27f6745a76902175cbd8a45420a4f21

AgentTesla

Executable exe b6e6023d1b3b0d62b6d20825ab7a993c3cda55051d56b42bf40db27fdab761b0

(this sample)

  
Dropped by
MD5 242b70e0daf5d7043cc9525cd6dd206e
  
Dropped by
SHA256 06a7a27bb885699c587413d9c640c761b27f6745a76902175cbd8a45420a4f21
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/131645/

Comments