MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6bbb80e9b3eeb6f8460547ec1bba91b9a4641a264f85d7211dcd1649c23fc85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	d6bbb80e9b3eeb6f8460547ec1bba91b9a4641a264f85d7211dcd1649c23fc85
SHA3-384 hash:	1a44ccafc8f69d326d1bc420a293a6f6f7b692cc0193e9eb9ccb38c3e0d55c0498f6f3c663b082292b3db821139e56ab
SHA1 hash:	c4a4fd13ec73adf1743c9df050463f2f92210d5c
MD5 hash:	6f16e6804500d74488f74e64587cb6f9
humanhash:	wyoming-apart-mirror-sad
File name:	MV.BAOGANG GLORY.docx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	436'224 bytes
First seen:	2021-08-17 13:57:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:XmoiHNWnSkdBrmEN5GgIGAgRYpdTGnohx:XekbjGl8YunE
Threatray	8'496 similar samples on MalwareBazaar
TLSH	T117940253394891A7DE289073D1DA82524B277E3646906E9376FC7F3B37332930646BE8
dhash icon	00c0b0c0ee6af818 (3 x AgentTesla)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/179998/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5c8ca7ef-86db-40b3-8967-5d951c81fef0

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/834524

Signature

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d6bbb80e9b3eeb6f8460547ec1bba91b9a4641a264f85d7211dcd1649c23fc85/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-08-17 13:58:15 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2253qdu3h3vw7bdakr7mdo5jdonemqncmt4f24qr3tiwjhbd7scq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1999b409b4fdabafe9343b5a7d3f4ac0a019fe8f1f5d7ca3caf9fbe051c01ca8

AgentTesla

365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2

AgentTesla

36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10

AgentTesla

73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85

AgentTesla

99c692171116b52ea724b6f740a825c680db973e3ff744e9a1b7bb5c34a0c962

AgentTesla

a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55

AgentTesla

e19c08f599af43e73bb73b7183ce1b8a1e6712640d185d6f29ae0cf165bdfef5

AgentTesla

f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90

AgentTesla

+ 8'486 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210817-39hl9pz2jj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

f39ad9a24b22fc87979582ae6938aed15e2eb1208aa0ecdfe7977318123e8a7d

MD5 hash:

0691425c4b9fea8a5cfd96e2f28d8c31

SHA1 hash:

e2c6256d0f3ea2aee42427f09006029ee71e631c

Link:

https://www.unpac.me/results/6fce8d4d-9e33-4c95-93e6-05a906a04cd7/

SH256 hash:

65b98e309ab0ec6d5d838020b039caf8c33b8c131ea4e7e8458fdacdd420a0b8

MD5 hash:

de34db725dac52a1425c259e35cddcd3

SHA1 hash:

7a3a3fd8b6a6a771be60eca5bd5c35854f71c812

Link:

https://www.unpac.me/results/6fce8d4d-9e33-4c95-93e6-05a906a04cd7/

SH256 hash:

14e0d9bd7d4807ea1eae664b2743c24597fe1fecf09bf972ac57a7a9742c4bad

MD5 hash:

3c88329933217b5f1e6dc8a04231c2bd

SHA1 hash:

0edc09bfbe02f6043302b76a55922bc4d09a6e74

Link:

https://www.unpac.me/results/6fce8d4d-9e33-4c95-93e6-05a906a04cd7/

SH256 hash:

d6bbb80e9b3eeb6f8460547ec1bba91b9a4641a264f85d7211dcd1649c23fc85

MD5 hash:

6f16e6804500d74488f74e64587cb6f9

SHA1 hash:

c4a4fd13ec73adf1743c9df050463f2f92210d5c

Link:

https://www.unpac.me/results/6fce8d4d-9e33-4c95-93e6-05a906a04cd7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d6bbb80e9b3eeb6f8460547ec1bba91b9a4641a264f85d7211dcd1649c23fc85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179998/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample