MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6891bfbe19115c4a3f0c80a3be5ea9bf19e76d6933b8b3ef88158fd1679e38a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6891bfbe19115c4a3f0c80a3be5ea9bf19e76d6933b8b3ef88158fd1679e38a
SHA3-384 hash: 07144f549c0e0afc461c942b107350757d994bc0b51b31fcbc3acb29cee5754440d060b8b2232ac7317e3d1dac963263
SHA1 hash: dcc565c59020ebbbbb16a182ac8e469237a58947
MD5 hash: d5c227f9217d13263d97f4a6236e559d
humanhash: autumn-emma-spring-ten
File name:INVOICE 2 B9016492377.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:43'408 bytes
First seen:2020-10-07 16:43:33 UTC
Last seen:2020-10-07 18:00:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:s37fucCn+2QX7/dLClyYZq585K78/VEKyUf2hj:s37fud8rVP4/0Ufq
Threatray 393 similar samples on MalwareBazaar
TLSH 9013D9126AE91818D2FF27B05972007306BD76A3727CC71C1CEF4B8646816766BD2B7E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.devbox12.com
Sending IP: 162.249.2.44
From: Accounts <manuz-e@marudeni.com>
Reply-To: Accounts <allryhan2009@yahoo.com>
Subject: Proforma Invoice accordingly to arrange 50% down payment and 50% balance
Attachment: INVOICE 2 B9016492377.rar (contains "INVOICE 2 B9016492377.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69002/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP POST request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484460
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6891bfbe19115c4a3f0c80a3be5ea9bf19e76d6933b8b3ef88158fd1679e38a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 15:57:23 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2erx67bsek4ji7qzafdxzpktpyz45wwsm5ywpxyqfmp2ftz4ofa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
AgentTesla
286b00dda63a28a1d22aae31f1622b04700207b92ab0f033e8885fb55eaa3e86
AgentTesla
36f888cfcc5ca73bed330401ff231b38012baad656797b803d51157ee2252177
AgentTesla
60db9d2df465b5bfcf2d1c0a71559c57c561d0746a0f3fd7f4e8b9203871cfb8
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf
AgentTesla
e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02
AgentTesla
eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f
AgentTesla
+ 383 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201007-9zrbs1a2ca/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c6891bfbe19115c4a3f0c80a3be5ea9bf19e76d6933b8b3ef88158fd1679e38a
MD5 hash:
d5c227f9217d13263d97f4a6236e559d
SHA1 hash:
dcc565c59020ebbbbb16a182ac8e469237a58947
Link:
https://www.unpac.me/results/e6ec75ca-5ff2-4b7b-a406-db90cbfa4f33/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c6891bfbe19115c4a3f0c80a3be5ea9bf19e76d6933b8b3ef88158fd1679e38a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar a2d1380d9c4f3b9ba15f8464768153025796079a2d057bfc6684c50ff0241523

AgentTesla

Executable exe c6891bfbe19115c4a3f0c80a3be5ea9bf19e76d6933b8b3ef88158fd1679e38a

(this sample)

  
Dropped by
MD5 d170bf1e9bf0f43c4c85a86996c22970
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a2d1380d9c4f3b9ba15f8464768153025796079a2d057bfc6684c50ff0241523
Cape
Cape
https://www.capesandbox.com/analysis/69002/

Comments