MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818
SHA3-384 hash: 12d87e42b0b11b37520caed1c1d37f61ae4a7031ad8895761332a19e53df0075cceab8019fa14b9a0df9fd0d28a4013c
SHA1 hash: 69628ffb988dfe474b47f9f8e715fda2e7aa4273
MD5 hash: 2d46889b6d794ac1fcf58bf340c4666a
humanhash: two-pluto-eleven-early
File name:SecuriteInfo.com.Trojan.DownLoader34.56156.11553.32083
Download: download sample
Signature AgentTesla
Create hunting rule
File size:50'976 bytes
First seen:2020-09-28 09:06:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:k18uu5iglPDoMZLSIElnC4DYsYIYsYZYsYZYsYZYsYIYsYl8EeufVZu0OFjPWUfC:k18uu4g3ZLSIEln04fVPWWUf
Threatray 189 similar samples on MalwareBazaar
TLSH 4033A41936594D18FA7A363D9C338500C3FE7EC60833E72AADC941DD9FA2954CA54B27
Reporter SecuriteInfoCom
Tags:AgentTesla

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Sep 27 23:08:44 2020 GMT
Valid to:Sep 27 23:08:44 2021 GMT
Serial number: A75950A89EEE054846897302B70DE8EC
Thumbprint Algorithm:SHA256
Thumbprint: 43D8C583CBC5F8EA65C14E1DC242C57F624953E35D2F4AA68492B3AC8A9864F7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66374/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.56156.11553.32083.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/476287
Signature
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Hides threads from debuggers
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 290594 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 28/09/2020 Architecture: WINDOWS Score: 92 50 smtp.yandex.com.tr 2->50 52 smtp.yandex.ru 2->52 54 3 other IPs or domains 2->54 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected AgentTesla 2->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->70 72 4 other signatures 2->72 8 SecuriteInfo.com.Trojan.DownLoader34.56156.11553.exe 17 4 2->8         started        13 SecuriteInfo.com.Trojan.DownLoader34.56156.11553.exe 2->13         started        15 SecuriteInfo.com.Trojan.DownLoader34.56156.11553.exe 2 2->15         started        17 SecuriteInfo.com.Trojan.DownLoader34.56156.11553.exe 2->17         started        signatures3 process4 dnsIp5 56 paste.nrecom.net 8->56 58 server5.nrecom.net 37.120.174.218, 443, 49721, 49728 NETCUP-ASnetcupGmbHDE Germany 8->58 60 192.168.2.1 unknown unknown 8->60 46 SecuriteInfo.com.T...r34.56156.11553.exe, PE32 8->46 dropped 48 SecuriteInfo.com.T...exe:Zone.Identifier, ASCII 8->48 dropped 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->76 78 Creates an undocumented autostart registry key 8->78 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->80 82 Drops PE files to the startup folder 8->82 19 timeout.exe 1 8->19         started        21 WerFault.exe 23 9 8->21         started        23 SecuriteInfo.com.Trojan.DownLoader34.56156.11553.exe 2 8->23         started        62 paste.nrecom.net 13->62 84 Hides threads from debuggers 13->84 25 SecuriteInfo.com.Trojan.DownLoader34.56156.11553.exe 13->25         started        28 timeout.exe 13->28         started        30 WerFault.exe 13->30         started        64 paste.nrecom.net 15->64 32 timeout.exe 1 15->32         started        34 SecuriteInfo.com.Trojan.DownLoader34.56156.11553.exe 15->34         started        36 timeout.exe 17->36         started        file6 signatures7 process8 signatures9 38 conhost.exe 19->38         started        74 Installs a global keyboard hook 25->74 40 conhost.exe 28->40         started        42 conhost.exe 32->42         started        44 conhost.exe 36->44         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2020-09-28 03:33:02 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2u6nne6olno76775hcg6vvvcr6rrbp7bmwcajky26kmewfxdama._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10afc2fcb1ac4d85ac3076f260e008dccee9f1715fd56d1fa6180d504655275d
AgentTesla
254e6d691fc7292fba06fc4f127d509743961835b12079ccc5a96f53ffee1648
AgentTesla
68c67f845d8c48aa74901553deb7cc31b7f2a27954d75e4f67093c70f81eb9d6
AgentTesla
8ca10b0fcde48ff00c9218062eb8aefe2a9d3ddc5e240a9da4a2e7764cbfff90
AgentTesla
b3332f865f362bd89aaa305a8b8ec5d3e5b6ddae9e704b70a2d36723550415b0
AgentTesla
b646b8f4e9a67cab72124eaa7db809117f7d887e27e2eaafffacdc2703668cda
AgentTesla
d3345db33851543b968f728d2a342c49dc72b0dc633da851518d8585e53af3ce
AgentTesla
d5d44e7e31d0ae752539ce070a13f61d68bef86bb29b2f1650b2dfb42e999729
AgentTesla
f33465f150ab2953fc885528545da23ce9c986c2358f4857a418cfdeb95f6979
AgentTesla
f684db86a351d46abae72b79e26a108b75365f2c4819818f0e353f94326042ea
AgentTesla
+ 179 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200928-yyknsepwja/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818
MD5 hash:
2d46889b6d794ac1fcf58bf340c4666a
SHA1 hash:
69628ffb988dfe474b47f9f8e715fda2e7aa4273
Link:
https://www.unpac.me/results/b2cccfe8-b20c-4c27-9c09-ece393f9fd2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/615515/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66374/

Comments