MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de0f6d3156577dbace690119ed748be66c64e539402780878490839dd0b24234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	de0f6d3156577dbace690119ed748be66c64e539402780878490839dd0b24234
SHA3-384 hash:	5b984ef049889a1a82073459903a01c8cdd8da7dbc52859dd5e26021c511b6263c71e0328e68a0cf50f3c37bc0f314a8
SHA1 hash:	c76efd1a14e8cf898b40ca3bed0c77b0dd8b6c41
MD5 hash:	a6e177c3002f870437f7bcd293ad30d3
humanhash:	football-football-purple-california
File name:	904f1f99c0e9dc954be0e7eb4b9fd26d
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	5'453'312 bytes
First seen:	2020-11-17 12:28:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	98304:8MURVvvl4MudH6Kry3pNigseB0gWB35HOipWpVeCjNABmCNgz3SD3YXfwws0LUeW:8MURVvDOg3pN1cpuGW3h68z34O00LJ
Threatray	1'325 similar samples on MalwareBazaar
TLSH	684622167B45D7A5D67532B34982FB5223A2E4D7A2404BCD670FDB3968D32C32E0EB09
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Running batch commands

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de0f6d3156577dbace690119ed748be66c64e539402780878490839dd0b24234/

Threat name:

ByteCode-MSIL.Trojan.Witch

Status:

Malicious

First seen:

2020-11-17 12:31:50 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yhw2mkwk563vttjaem625el4zwgjzjziatybb4escbz3ufsii2a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1228ba2604d0a579845a1dfdc24e4923c184e1295d2af972063d76d64b33ef99

AgentTesla

29890b01a73b6721cf2e80232cc366b95be2eeb81bd7beb72372cd3ae4f05293

AgentTesla

385c7018cf8debb5955d9009f6c8096cecf124c975306b95c9b24bd84046e97b

AgentTesla

3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675

AgentTesla

4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25

AgentTesla

698a07ee43319ed49e3a64c97c8626d26b7a9d5ff6c7c02d9ce87d0089c9ed90

AgentTesla

789908dccb3fef2eaf91f04e9af718d53d58da605aaf092b549efccc869dff12

AgentTesla

93bb62774d2359778e34985d5c7fc6be51f91e48706509b8698714f0b5f46a46

AgentTesla

fd2a7682f371ab740d8691e13d1ab27f3919414019afd1b6ddf935394c59ba60

AgentTesla

+ 1'315 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/201117-lc7bhk62ya/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

de0f6d3156577dbace690119ed748be66c64e539402780878490839dd0b24234

MD5 hash:

a6e177c3002f870437f7bcd293ad30d3

SHA1 hash:

c76efd1a14e8cf898b40ca3bed0c77b0dd8b6c41

Link:

https://www.unpac.me/results/9693d71e-56f1-4878-92d5-77d169d88da3/

SH256 hash:

1703e7560c1d6cf53d29509223a84b83fafb283d97b51f6b6bc2c4955312d05f

MD5 hash:

0ee5852a63523be3b154f7b77ef0ac56

SHA1 hash:

7841b533b70a70175c3eaac2b008af28b78decad

Link:

https://www.unpac.me/results/9693d71e-56f1-4878-92d5-77d169d88da3/

SH256 hash:

4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd

MD5 hash:

304cc4a1948539064cfec5b70bd83e21

SHA1 hash:

32b3754f52323fd71b8349f01c9dd4bc4fecd880

Link:

https://www.unpac.me/results/9693d71e-56f1-4878-92d5-77d169d88da3/

SH256 hash:

f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c

MD5 hash:

b1c72a8e99542c64507470535686ddd9

SHA1 hash:

fe3bec4b6e2b7091db68705feb59090c24c8b6ed

Link:

https://www.unpac.me/results/9693d71e-56f1-4878-92d5-77d169d88da3/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample