MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6c1faa749cd1365c95ba2052c3eea5b4aa7a19d6c8a86e977413f276cf40ed9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6c1faa749cd1365c95ba2052c3eea5b4aa7a19d6c8a86e977413f276cf40ed9
SHA3-384 hash: a805138ab3951fc36f29556e7c9d7ddc16349eaf7829754e6bc65d4f282b0a2bc1dfdb939841f3a5bf655cc25082a270
SHA1 hash: d3ff58e12f0da92fc3e636ec99602685a59fee8b
MD5 hash: e0d1b713485559c31f1893e744161f68
humanhash: red-music-hamper-idaho
File name:URGENT QUOTATION_#345TPT3#.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:757'760 bytes
First seen:2020-06-24 05:34:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:JmwwNMfwonB3BHrNnnNyIodaW1g3JoXCmZ0spoVXajuA+:UwwN6nTlnPoAWsqXCUoF
Threatray 10'734 similar samples on MalwareBazaar
TLSH 03F4E183A844D162C6A415B996C9EE38277B2ED865C0F19A28D43CD73DEB3DB14339C7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: petrit.best
Sending IP: 104.129.0.123
From: Kobelindo Trading Co.,Ltd<tad3@tokai-kasei.co.jp>
Subject: URGENT QUOTATION_#345TPT3# & INQUIRY DOCUMENT
Attachment: URGENT QUOTATION_345TPT3.Z (contains "URGENT QUOTATION_#345TPT3#.exe")

AgentTesla SMTP exfil server:
mail.bmmarine.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13398/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6c1faa749cd1365c95ba2052c3eea5b4aa7a19d6c8a86e977413f276cf40ed9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 02:21:48 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=23a7vj2jzujwlsk3uicsypxklnfkpim5nsfin2lxie7so3hub3mq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32
AgentTesla
666b4d8521af8e8c149431fea4f3fce4d859b9d102e894928edb0e005ad8153d
AgentTesla
69e1a15be2f6adc6268ec617568b3d2725122eb8d34873c23a7117b24e8b6854
AgentTesla
7523c12a912fa702d0d82798e013bf01d7be7b4b0fd08989bdb48c04738c876c
AgentTesla
76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4
AgentTesla
82bdf1c9eeecb62113d9b063bcf848c14e4cecf21950b129fefeb40d6ec95a70
AgentTesla
8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95
AgentTesla
b88e0edb83dadb3c26add0d4811a6a2f74c69a1fa361291a98bfdecca0c9ff8e
AgentTesla
b9620fd88aff4f05ecddda888f13bd8c5780f6fb2c1f5df66c64ce5854cd82d8
AgentTesla
f6418cb1cf7a9024b0a8e7f736c45f0a7e8aaa5ecd2d41241f20a56ea05ccf07
AgentTesla
+ 10'724 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-6zh9jxqd4n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 300b3772c1c64a517102c350e5eed1d01e0fa2c3f5558e974b4eacac09a71939

AgentTesla

Executable exe d6c1faa749cd1365c95ba2052c3eea5b4aa7a19d6c8a86e977413f276cf40ed9

(this sample)

  
Dropped by
MD5 ef72112294b123f95bdd64298d9e3d48
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13398/
  
Dropped by
SHA256 300b3772c1c64a517102c350e5eed1d01e0fa2c3f5558e974b4eacac09a71939

Comments