MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d
SHA3-384 hash: 6e51927c98ea3f93dfa4440306d845ef1c568be442a15cdcfaaf034119f3c1294c0ddd54b5e8dc30f8e21e821ef4d88c
SHA1 hash: 3182db783dd2713d9971bf6539304c83eacc0b35
MD5 hash: 822545bbbff1e68337bfd9e87ab08aeb
humanhash: white-lemon-tennessee-seventeen
File name:Order specification & Drawing_Docx.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'139'465 bytes
First seen:2021-10-20 05:37:38 UTC
Last seen:2021-10-20 12:03:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (864 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:9AOcZy9q/IR1RIxXEWzBkoIpsqxFhINdb5pO0i0buNTbF:HVipEk5q5Y3O31F
Threatray 13'129 similar samples on MalwareBazaar
TLSH T1A5350253F7CB8C72D3B205311E2556109A3A3BB41B378A3E77C41A69F5365822136FBA
File icon (PE):PE icon
dhash icon 4f8f090c0c098f4f (6 x AgentTesla, 2 x Formbook, 1 x AsyncRAT)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198700/
Detection(s):
Win.Dropper.Nanocore-9900258-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/616faf7fa9d585e6d52e474c/reports/6b981da5-a419-4e1e-9908-ca34478deab5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fc1676f9-5aae-4ae4-b714-b6ffd17a8d1d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873558
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious MSHTA Process Patterns
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d/
Threat name:
Win32.Trojan.Lisk
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 03:19:03 UTC
AV detection:
17 of 44 (38.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnscj5qfcrk32fsve7lp2h6b43kifeswf2yx5kaeeuaymjisn46q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d8d1ed93e2bb02931e7184988ad25b149d75beaaf5c4604144aef7981352109
AgentTesla
23570421eab96d998896192bff68e9ec54d2e97dc19bf62e26c856a3a668cb05
AgentTesla
29bc7a7ec63bb64f38ebead4028fd2fd1cf46f9d9cc3ba85c7aca32182477abc
AgentTesla
3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2
AgentTesla
3bff4a308ecd13d7ee25b1327195eb52319660f220377dfc2224ac987ad97778
AgentTesla
7d099dcd6d912e29120d1eca72f100724fa776e8a1f80b22fbb52e6de905d324
AgentTesla
a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183
AgentTesla
caaed96b3aad8d2a3329b5088346af448509c2b2a2ead06af6fa3804fa9ef44b
AgentTesla
e79ef9ac540330942b1185f71c77d95e6582ea77c4eedc0740a19afeebb59323
AgentTesla
+ 13'119 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211020-gbqrzshehn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d
MD5 hash:
822545bbbff1e68337bfd9e87ab08aeb
SHA1 hash:
3182db783dd2713d9971bf6539304c83eacc0b35
Link:
https://www.unpac.me/results/29681277-4095-439c-a788-de91c83d4083/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bb6424f60514/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198700/

Comments