MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc6c48150c475d3312f01a96a5301e2263cc4c821e2d6a48b4bb2bdb07edb968. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc6c48150c475d3312f01a96a5301e2263cc4c821e2d6a48b4bb2bdb07edb968
SHA3-384 hash: 5ed3895989d7881c29cd32080dcde0f2219eb1fb9caebfe4c50da012e46a847f2930058ae967b227b51dd4862b004dff
SHA1 hash: 2ba84cb49cebb46cffa78465a219fe48605b97e4
MD5 hash: 2c2541097930623674dacb247acae45d
humanhash: table-sink-kentucky-shade
File name:PO6447484838.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:455'016 bytes
First seen:2020-10-20 08:22:20 UTC
Last seen:2020-10-25 21:17:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:fjUoepZODocFBcxgR/cG+DKduDOa1XOUF7teeXTBAXk4TkFe4X11H411RH41k1B7:fKiR/mguD/FLD6IUuQaKV7E0R
Threatray 664 similar samples on MalwareBazaar
TLSH 31A4A258EAEA2C62DD7465BA9FD31B820FF970971078E2381CC49BE141137613BDBE49
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: outgoing12.jnb.host-h.net
Sending IP: 129.232.250.60
From: Thayalan Perumal (BUILDER) <nelson@ngipsatelecomms.co.za>
Subject: Fwd: Please send invoice
Attachment: PO6447484838.rar (contains "PO6447484838.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Artemis2C2541097930.8216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497309
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300839 Sample: PO6447484838.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Yara detected AgentTesla 2->35 37 2 other signatures 2->37 7 PO6447484838.exe 15 2 2->7         started        11 WerFault.exe 2->11         started        process3 dnsIp4 23 www.google.it 172.217.168.67 GOOGLEUS United States 7->23 25 hastebin.com 104.24.127.89, 443, 49720 CLOUDFLARENETUS United States 7->25 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Hides threads from debuggers 7->43 47 2 other signatures 7->47 13 PO6447484838.exe 6 7->13         started        17 timeout.exe 1 7->17         started        45 Writes to foreign memory regions 11->45 19 PO6447484838.exe 11->19 injected signatures5 process6 dnsIp7 27 aviner.co.za 102.130.117.53, 49812, 49818, 587 xneeloZA South Africa 13->27 29 mail.aviner.co.za 13->29 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->49 51 Tries to steal Mail credentials (via file access) 13->51 53 Tries to harvest and steal ftp login credentials 13->53 55 Tries to harvest and steal browser information (history, passwords, etc) 13->55 21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc6c48150c475d3312f01a96a5301e2263cc4c821e2d6a48b4bb2bdb07edb968/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 04:32:22 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrweqfimi5otgexqdklkkma6ejr4ytecdywwusfuxmv5wb7nxfua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b6a774498ff154b69bb5833958b8598724b82fb6d90bc561014d04bbf053ddb
AgentTesla
38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
AgentTesla
3ef72e933e966c913dbc5710f12793ad49f5df7e3ce42591553587c44f0254da
AgentTesla
44c8acbbe1fdbcab7397c03bc91d5d3f440ec11f6358974e4bcc27ee28a4b838
AgentTesla
757d376a5edc5d260ab3fb209797dbbdf3ce43f6331432174b1398f14e723e20
AgentTesla
7b99f6a15a14cd9dcaaac8653eec35e1c2d0dc7a72b4df26dec87e34cc7ad061
AgentTesla
bd5f6e5567639e5e1c4619a02ff2db2eb3242cd6e25e50f7b7559202fc7f061c
AgentTesla
d4d5754fe653852683fa32cbb6c0433356f346f22a959a17bf36e74b73dace6d
AgentTesla
e6793974644f3523b0e79add22e915ae65bcda618b397dd42a6877d2b3e9e2c0
AgentTesla
ffbc4a39ad58fc82025ec9dd1abcba049dc7c66a1ccb8b71fe2171e65f41b526
AgentTesla
+ 654 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201020-nevlrvlz42/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
cc6c48150c475d3312f01a96a5301e2263cc4c821e2d6a48b4bb2bdb07edb968
MD5 hash:
2c2541097930623674dacb247acae45d
SHA1 hash:
2ba84cb49cebb46cffa78465a219fe48605b97e4
Link:
https://www.unpac.me/results/632d44a2-4553-4ca0-aef9-51e146c4c41a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cc6c48150c475d3312f01a96a5301e2263cc4c821e2d6a48b4bb2bdb07edb968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 3b4ab56ede4d750bd0dac56a30f61c3293686f9f9de46023260e2901163810d4

AgentTesla

Executable exe cc6c48150c475d3312f01a96a5301e2263cc4c821e2d6a48b4bb2bdb07edb968

(this sample)

  
Dropped by
MD5 b94fd3f16019afcb106fd7d2e17e3d7f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73329/
  
Dropped by
SHA256 3b4ab56ede4d750bd0dac56a30f61c3293686f9f9de46023260e2901163810d4

Comments