MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6dfec91e16366a3e0f61493f1cf305389da317c5f3299e8acc48b74b724a3ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	e6dfec91e16366a3e0f61493f1cf305389da317c5f3299e8acc48b74b724a3ea
SHA3-384 hash:	9ea536be944941c7f6a7da7509cc521a455c766b101c85ece0e2bf9bbf18f7478be205fdb8b1e85604f2d20705641ead
SHA1 hash:	db112652e81831552e04121e8f2f739948aa124e
MD5 hash:	6dcc309261ff8dfb98fde845386d1d24
humanhash:	alaska-social-alanine-fourteen
File name:	Order 0173P.doc.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	281'803 bytes
First seen:	2021-10-14 10:30:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:wBlL/c95sMkHvkQfU0BG93FCtiC8a1eOf9TVax9Wj96e8uVv:CeAMOv3fU2G93FJLatFkaz8w
Threatray	11'787 similar samples on MalwareBazaar
TLSH	T1B75412F30BF965F3F293567104F3DBABD676A0099110A2573B70CEF529297CA8A26113
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	pr0xylife
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order 0173P.doc.exe

Verdict:

Malicious activity

Analysis date:

2021-10-14 10:45:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/03b54038-2b38-479f-8429-82955ffded36

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/197505/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Deleting a recently created file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/616806e81c2d58ba74063c33/reports/44ea851d-78ac-4002-9dc4-012805307936/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/06649680-90a9-4863-8f9b-4a2e1aa28757

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/870358

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e6dfec91e16366a3e0f61493f1cf305389da317c5f3299e8acc48b74b724a3ea/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-14 10:30:41 UTC

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=43p6zepbmntkhyhwcsj7dtzqkoe5uml4l4zjt2fmysfxjnzeupva._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

62e4849bf2b02dd9508f6db60bc9f0d0e982ddfb607b9816e4a777c8cf5542ec

AgentTesla

717eb223b3e2ec88c901311d3bb203f2cac106fab92216ab6e89b353ebec1562

AgentTesla

7579d907f11e31daadd189f27bb76ece470935be7d196e402030fae41615fca7

AgentTesla

7ad36d3f343d7d8357c9ca31d9ed0218c7913608b76e9cc6a98f4b1a7369fd55

AgentTesla

a36a5b94a8923ae135a43b21ec38a37924fd59ef902f496f7b499cd4e4083143

AgentTesla

aa49a468dd184ec1ee4b126823e7c3dec0539e75b0736b6f2a24116fc33badb9

AgentTesla

ccc78c1d61ff6eb4b314c9ffbbd9f172984a6b3decb088b1398a96b382a3149e

AgentTesla

e41c50d817a963a03c07188bda3e42f164f1ce189f2875dc7f5125594d4ec159

AgentTesla

+ 11'777 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211014-mkdfxagggn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

e6dfec91e16366a3e0f61493f1cf305389da317c5f3299e8acc48b74b724a3ea

MD5 hash:

6dcc309261ff8dfb98fde845386d1d24

SHA1 hash:

db112652e81831552e04121e8f2f739948aa124e

Link:

https://www.unpac.me/results/cec91ee4-d1dd-4569-88d7-8b61c2119b53/

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e6dfec91e163/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e6dfec91e16366a3e0f61493f1cf305389da317c5f3299e8acc48b74b724a3ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197505/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample