MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca
SHA3-384 hash: 914b70a93cad280bf816419d9a2e2ffa2cee333e0a3a003991a62da5bd15b0eb8c2ba9bd50b9c22c752e6d3375f9d049
SHA1 hash: 9206ee77e5f7cd48125ce93e257e97ee0952020c
MD5 hash: 05ca79f28634afedc9c48305c9e5bef0
humanhash: mobile-arkansas-robert-indigo
File name:05ca79f28634afedc9c48305c9e5bef0.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:715'776 bytes
First seen:2020-10-13 08:20:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:MeLy7Jh6gWlhaHCEg84leknq7N9OjfWnWdC7A/oggc:MauIgWvaHCEvK5n+9ifWmaA/H
Threatray 504 similar samples on MalwareBazaar
TLSH 56E4CF2B77B45F52E03E9BB91831A0B407F3D64BE733E54A7EEA10B40186B964773912
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70350/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.445.29954.28837.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489426
Signature
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297162 Sample: 45LG92SDay.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for dropped file 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 7 45LG92SDay.exe 1 7 2->7         started        process3 file4 33 C:\Users\user\AppData\...\KsXneWkIoY.exe, PE32 7->33 dropped 35 C:\Users\...\KsXneWkIoY.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp5650.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...\45LG92SDay.exe.log, ASCII 7->39 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Injects a PE file into a foreign processes 7->53 55 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 7->55 11 powershell.exe 23 7->11         started        13 powershell.exe 25 7->13         started        15 powershell.exe 7->15         started        17 12 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 8 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 08:22:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zte6toallne3o3e5xob7voc55lscsudyvn74zizlud234l3zlfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
AgentTesla
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
39a76f88dd2a2ebc1ef8a21c852813b486cb969d062a973610b60eeaef436e11
AgentTesla
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
AgentTesla
9db4c4a75f04844a37e15aa0762751beed2422027496e06b76a435c953d94330
AgentTesla
b6dac3c563e7b771fa56992d6c5ac321278e8ff4653b5f50f283855e672cdb3d
AgentTesla
ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f
AgentTesla
ccc3b2be409e5a8b8166f6ff51feb068ba05c6dfb4e31fd34e8a853970bd3a40
AgentTesla
e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42
AgentTesla
+ 494 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201013-ksb2sbjb7s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca
MD5 hash:
05ca79f28634afedc9c48305c9e5bef0
SHA1 hash:
9206ee77e5f7cd48125ce93e257e97ee0952020c
Link:
https://www.unpac.me/results/4447ee64-5289-42ac-bbc9-4b4a19bb618f/
SH256 hash:
f764da65161e60659b675f7035cde558ef6182b06d3a4fc7f32cd62e7ace8dbf
MD5 hash:
da5af88451a6e0d3df9831ea1cc18b82
SHA1 hash:
001390acbccdbd917b5d510d9c57d6a8e699fa5e
Link:
https://www.unpac.me/results/4447ee64-5289-42ac-bbc9-4b4a19bb618f/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/4447ee64-5289-42ac-bbc9-4b4a19bb618f/
SH256 hash:
5b1e724906f95f30e5db7ae50679748a4c8febde3411ce4e0f66311c2b5578eb
MD5 hash:
be57c5c0918f3c38c8b752e43e1c41a9
SHA1 hash:
3c8322778bd54410d33690dc670483128eac9e99
Link:
https://www.unpac.me/results/4447ee64-5289-42ac-bbc9-4b4a19bb618f/
SH256 hash:
90a1c70be1fc96f0bb77388cb4f81beeaeadf3f97a2015d575b712a62daac00c
MD5 hash:
7d1950efcd44657f3452de5e497be055
SHA1 hash:
59bc9f3bbffa1003a8fb50f957c52c755245c7ef
Link:
https://www.unpac.me/results/4447ee64-5289-42ac-bbc9-4b4a19bb618f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/70350/
  
URLhaus
https://urlhaus.abuse.ch/url/675605/
  
Delivery method
Distributed via web download

Comments