MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6b92ecd3617d817df1553d6ea6bc37afa5c527ffc997c94eee5223efa6c0c26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6b92ecd3617d817df1553d6ea6bc37afa5c527ffc997c94eee5223efa6c0c26
SHA3-384 hash: 189a7ac518d833295a756b738381588d4eb7cfc71571f9dd6d804836bd8057d16eb9dc6e16ad8a3e03dd0f3e6667788e
SHA1 hash: 1b30d925e29a0cf71ec8dc9cf216ac4bb2376567
MD5 hash: 75ea73923fd84adc68f7e68c36433351
humanhash: illinois-lemon-apart-papa
File name:75ea73923fd84adc68f7e68c36433351.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:947'712 bytes
First seen:2020-10-16 18:02:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:JwvatQWs8BR9Ofx5JjRpKqDzbSwvfmgX8z3KmS26YmQR8JX6UjcQDcqDwJLjJkt/:JwvatQWs8BR9Ofx5JjRpKqDzbSwvfmg/
Threatray 10'838 similar samples on MalwareBazaar
TLSH CE15E03A7D5C4025ED0D4B7A87DF0B2553F0D1420A29DF4B258D27A94B2B2EAED4B339
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72242/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3432.3811.5154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494103
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d6b92ecd3617d817df1553d6ea6bc37afa5c527ffc997c94eee5223efa6c0c26/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 15:11:17 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=224s5tjwc7mbpxyvkplou26dpl5fyut77smxzfho4urd56tmbqta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24d5ae18d6995c5afcb2ba03c90cbebde633c69c5f3a5f1fa157c1d4fcd84928
AgentTesla
28af2ba9b0384e3d4f9754ee8a62bb812c9a4d39bad72a56c38e75b38578537c
AgentTesla
32635286140f13f1690c483c2a06bacc67990427515f37a6cf2d93c8a30db5e9
AgentTesla
71a4df5f7ec7a6fc953f090d09b068a43b7fb10ae0050d759f32aa2e48c8377a
AgentTesla
9df937adf6a22c071b3d975135efa00bee0a9ad5fb22e6ef37c43dd79d90b030
AgentTesla
b598c7c48f10c889b428a265396073f9ae33717566c1fae28c9a8d83406e3573
AgentTesla
bc96a7521bd576710b531a2b2dd6d7f4b4a0854f6ef8285ec83e0515d27ff299
AgentTesla
d98e2c229e3a1c2838db37ae64beb70f3f0ef709059deda5edca76ed31bc54fd
AgentTesla
e92f8fb4f206c2ebf57c7e2db8e28efe3d8580b61c70de8463fbfc0967542b67
AgentTesla
f5bc5555d6b03bad237a916d07e05148d44cae649e932726a15ea1595fa60f4b
AgentTesla
+ 10'828 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201016-gretv6gh2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d6b92ecd3617d817df1553d6ea6bc37afa5c527ffc997c94eee5223efa6c0c26
MD5 hash:
75ea73923fd84adc68f7e68c36433351
SHA1 hash:
1b30d925e29a0cf71ec8dc9cf216ac4bb2376567
Link:
https://www.unpac.me/results/1e11f68d-122f-4bd8-bf5b-377f6aacc749/
SH256 hash:
a968ef7d63a96393b54ae6ea9920bf1c59fece85802fee4c222db24c19b7dccc
MD5 hash:
544677b92ff433ece1bd31d19951bbec
SHA1 hash:
644594895e61cdeceb02854bc2bd54b1d788df6e
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/1e11f68d-122f-4bd8-bf5b-377f6aacc749/
Parent samples :
9df937adf6a22c071b3d975135efa00bee0a9ad5fb22e6ef37c43dd79d90b030
d6b92ecd3617d817df1553d6ea6bc37afa5c527ffc997c94eee5223efa6c0c26
SH256 hash:
9361df01cb2fb07c2fb1ded032dfc0c1737f3f6fba57f38f8b21bdb589753600
MD5 hash:
d838f26be15ea3c6e9d82a33c3551c36
SHA1 hash:
c5e96278ff6202b85a2db891cbc5f1aabd8bf1e2
Link:
https://www.unpac.me/results/1e11f68d-122f-4bd8-bf5b-377f6aacc749/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6b92ecd3617d817df1553d6ea6bc37afa5c527ffc997c94eee5223efa6c0c26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d6b92ecd3617d817df1553d6ea6bc37afa5c527ffc997c94eee5223efa6c0c26

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/72242/
  
URLhaus
https://urlhaus.abuse.ch/url/702990/
  
Delivery method
Distributed via web download

Comments