MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a1ff51485fd7f49e413093ab5c705265a6d5ec108c1ce955fbe99da3d29aa33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a1ff51485fd7f49e413093ab5c705265a6d5ec108c1ce955fbe99da3d29aa33
SHA3-384 hash: 8fe349562b798be3cc05e4bd37fa471e996e75e29f7bc2796ccb5a6b24edd8beb0e9978bc5ca3f042a7edcb87c5cc7c9
SHA1 hash: 5fedcc0d267c9806493fa393eaf65a5887ec2469
MD5 hash: 9e831c7cfe7af7d9abead8e8fe57187c
humanhash: vegan-muppet-edward-dakota
File name:Plumbing Pumps RFQ.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'641'610 bytes
First seen:2020-05-25 08:37:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4f5b6ddbb1c6b997c1a245dea0a0338 (4 x AgentTesla)
ssdeep 49152:H/6Xvg35sl8Arl9TBCv3d93RPn4kIKYPq:Uvgpslnrl9TEdntIKYPq
Threatray 10'665 similar samples on MalwareBazaar
TLSH 4C75F513BB906809F0739870A9B4A61A5C257C332924F95FA381AF8E35726D7D5F072F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ihcc.sa
Sending IP: 209.58.149.66
From: Dilawar Iqbal Qureshi <pur11@ihcc.sa>
Subject: Quotation Request - Plumbing Pumps - SGH Extension Dubai - IHCC UAE
Attachment: Plumbing Pumps RFQ.zip (contains "Plumbing Pumps RFQ.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.LuheMalumA.12985.16793.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 10:40:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
11f9f60f3980a42f06858e5e684b8dedb4b134e9bb357a1043ded9a96353744b
AgentTesla
409fcfde81862a0579c3035388f5036a47282898a6dfe3c7a686356400e2a9f3
AgentTesla
5331c0d3bca792163c516ede19eef0b09e4f30ebe1299e83c9d0ca9b1701632b
AgentTesla
54d7bb96a72dc01cfc92a11805ecbd13d7e3c5b8f38bee450d164a5f19e7cef6
AgentTesla
6824c4afb5e56e0c2b3e0b89a4acde70bcc2bd792334a6600225e623162ae621
AgentTesla
73227e5663576f946ecdd31082bd8ccbd65cb8332f3ccff9807d43c2481276aa
AgentTesla
90ffadcff25b2faecd4cccabac3af9f5329aea12e3330aa408545408bd482fce
AgentTesla
a596fdfb8997f081dd7674b248d02518f1052fe4b1c384a050f6a82b65816311
AgentTesla
abce854dbb1be834088423c8a911d7111cd6d205b9f6b44be000652860fa03c6
AgentTesla
c3196a4d4498a77b2e27353a3cd61ce5494bdce1f29f5643e8fece30aba5a20e
AgentTesla
+ 10'655 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-x6km4f2e5n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5562240396a887bf6d20e41a54c07a0ea27a0df0c98fb0ceced77c525e27e49d

AgentTesla

Executable exe 5a1ff51485fd7f49e413093ab5c705265a6d5ec108c1ce955fbe99da3d29aa33

(this sample)

  
Dropped by
MD5 a6fa02dea005b28f930d1e8475dab51b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5562240396a887bf6d20e41a54c07a0ea27a0df0c98fb0ceced77c525e27e49d

Comments