MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6f80aee15c24e4bef84e6fa4c1435a64f96e06227e896c11a492c9d6ce35c21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6f80aee15c24e4bef84e6fa4c1435a64f96e06227e896c11a492c9d6ce35c21
SHA3-384 hash: b5db51066904502dba3da9bd22d4771f4615981de52ab5a4722be4a1873d9968e6bede4837608bef91acf3eba883553c
SHA1 hash: 54c85d091e20573460ec1fce2e2eed8098a1e8c5
MD5 hash: af2fa8cb5232e309f32ee5be495948d2
humanhash: cola-romeo-seventeen-bacon
File name:af2fa8cb5232e309f32ee5be495948d2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'141'248 bytes
First seen:2020-09-27 07:32:51 UTC
Last seen:2020-09-27 08:37:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:66rTe+C/JB+e2gYCbOnv89q//thIdU3OPFwuDrd0QYcv:6Se+C/J0h+Onv8MHYmOPFwuDrd0QYc
Threatray 10'707 similar samples on MalwareBazaar
TLSH 5B35F10D27DCAA71EE3E1A7773B14089CEA1DA48C14AAB5F69DCE3F498DB3146D940D0
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66209/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.29373.1956.19294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475973
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290436 Sample: CdCu07ikOk.exe Startdate: 27/09/2020 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 3 other signatures 2->42 7 CdCu07ikOk.exe 1 2->7         started        process3 signatures4 44 Writes to foreign memory regions 7->44 46 Maps a DLL or memory area into another process 7->46 10 CdCu07ikOk.exe 7->10         started        13 RegAsm.exe 2 7->13         started        process5 dnsIp6 48 Maps a DLL or memory area into another process 10->48 16 RegAsm.exe 2 10->16         started        24 smtp.yandex.ru 77.88.21.158, 49716, 49719, 587 YANDEXRU Russian Federation 13->24 26 smtp.yandex.com 13->26 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->52 54 Tries to steal Mail credentials (via file access) 13->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->56 signatures7 process8 dnsIp9 20 smtp.yandex.ru 16->20 22 smtp.yandex.com 16->22 28 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->28 30 Tries to steal Mail credentials (via file access) 16->30 32 Tries to harvest and steal ftp login credentials 16->32 34 Tries to harvest and steal browser information (history, passwords, etc) 16->34 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6f80aee15c24e4bef84e6fa4c1435a64f96e06227e896c11a492c9d6ce35c21/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 17:27:44 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=434av3qvyjhex34e435eyfbvuzhznydce7ujnqi2jewj23hdlqqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac
AgentTesla
35912ff3b78d0699082450202cc16cec5c11447c39ec0e4db7738c188662f0c5
AgentTesla
3823b2ac7444188f31b0e9990ecb3120084180af9fe5e5a30b5af83b91290a34
AgentTesla
5fa8237700455a67c1db31c12aa20e6b5536af561ae732248326cd94990ac388
AgentTesla
6a43d3e802d7a52afa0ed359ad45f965c55beabfc143efd8facb89259b760e34
AgentTesla
7ca8232e7c1412239e7ae183a33a8546097b37a1ca2fd03d068472f6ad7021c6
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
9e3a94f237c30841d45f04d73fb46e31b3fa5c5f45a6b49b5acd8aaf9f0b748d
AgentTesla
b5ed3dead9212794fe1c3d66ac26cb3aef679980fdf63100e517f876655b0575
AgentTesla
cd62c1ca555d8caedbf2f6974500577216b34549681682d8802af804f0510f46
AgentTesla
+ 10'697 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200927-lsltzd5pra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e6f80aee15c24e4bef84e6fa4c1435a64f96e06227e896c11a492c9d6ce35c21
MD5 hash:
af2fa8cb5232e309f32ee5be495948d2
SHA1 hash:
54c85d091e20573460ec1fce2e2eed8098a1e8c5
Link:
https://www.unpac.me/results/1d04c6f8-26dc-4b77-a6ef-415c94df6454/
SH256 hash:
7598427f834ba942eb5a72e40c9620f8070245f38f846be92e1e1cee15fa9b82
MD5 hash:
f7dcd0a6a7144791930eacc97b71f260
SHA1 hash:
27ef87f08f2771f01cc124d413882c580c64c23c
Link:
https://www.unpac.me/results/1d04c6f8-26dc-4b77-a6ef-415c94df6454/
SH256 hash:
1813321ed1fafea40798a6ca3bf65aaa6886b3e3ccb7e8e568ef8bca77155338
MD5 hash:
17a9fcebc99fe4cb4ce332969d6512f0
SHA1 hash:
9b3f35b4dc735b36a3b66a5b23ed631222a7ef4b
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/1d04c6f8-26dc-4b77-a6ef-415c94df6454/
Parent samples :
e6f80aee15c24e4bef84e6fa4c1435a64f96e06227e896c11a492c9d6ce35c21
012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e6f80aee15c24e4bef84e6fa4c1435a64f96e06227e896c11a492c9d6ce35c21

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/66209/
  
URLhaus
https://urlhaus.abuse.ch/url/611610/
  
Delivery method
Distributed via web download

Comments