MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6f1d67ac3535b18063bd2899b68ec65017f6ff31b042a3dee80d1f0e8a3dea8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	c6f1d67ac3535b18063bd2899b68ec65017f6ff31b042a3dee80d1f0e8a3dea8
SHA3-384 hash:	0f81c9981827685b6352bc09ae02d23c5abb8336861051096a0c406b5aec4c56f63aa5161204dcf3f83dc507b3f67793
SHA1 hash:	942ce2e58886bd0d763540dc16b25dd68000b2e5
MD5 hash:	543673ada3d2bfb33c97e687aa1d8009
humanhash:	fix-burger-vegan-king
File name:	PO-2020-SGL-014 PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'842'688 bytes
First seen:	2021-05-14 05:49:07 UTC
Last seen:	2021-05-14 06:02:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:E8H/JgydtibPw9pg05i2eqxZyvkJlxm0Zw:rXPIPwp0nayvU3m0
Threatray	4'935 similar samples on MalwareBazaar
TLSH	1C859D121F050F5DE03DABBDB436141987F87E45F3E0EE5DB89939D827BAB028D4A252
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO-2020-SGL-014 PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-05-14 05:50:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/612752ed-c510-41ac-82ee-93eae0be050b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/156406/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/781589

Signature

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c6f1d67ac3535b18063bd2899b68ec65017f6ff31b042a3dee80d1f0e8a3dea8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-13 07:18:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

147

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y3y5m6wdknnrqbr32kezw2hmmuax637tdmccuppoqdi7b2fd32ua._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

490ae1eb1637910af1a69c6317ef81a47518b809f5b6da4b8f66d72582e25b9b

AgentTesla

6f88a4bdf6ca9a0b63e8dca6b56c2431acaccb7b58a6ddf5166028756c172d5a

AgentTesla

77ccf33c233dd2f10f699699ca25eff2c6da889962f898b244244a1df4ebc806

AgentTesla

86252b6aa3b9d40cf6c63175d7f5764c9a8c45c076173236f3a0efc8730e43bc

AgentTesla

969d7de974220c1a8067ff973c359581fa7ff0aba079a8a81537460b4e3810c0

AgentTesla

c16f4626760b9573aa34cbf027cc7b4a5c59b0506db3674f7252535c00e7c0c5

AgentTesla

c3d7fef20e22a2a50e8762c39aa40caae7ec5a074ce39bb610f58ea2c6349f20

AgentTesla

d2f11d2995111eda98cd7fc24d77450eda99160e6f30bf426a88012ec835d941

AgentTesla

d6ff339c056def1d5e03ecbfea9e55dbd8f556885b2fdcce27ddff7e040152c8

AgentTesla

+ 4'925 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210514-f6cdqvtrbn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c6f1d67ac3535b18063bd2899b68ec65017f6ff31b042a3dee80d1f0e8a3dea8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	hancitor_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 41ad720e2f7874297da1a5d6f53fceb1639f7451d84baef77bb69252bc6d0eb4

AgentTesla

exe c6f1d67ac3535b18063bd2899b68ec65017f6ff31b042a3dee80d1f0e8a3dea8

(this sample)

Delivery method

Other

Dropped by

SHA256 41ad720e2f7874297da1a5d6f53fceb1639f7451d84baef77bb69252bc6d0eb4

Cape

https://www.capesandbox.com/analysis/156406/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample