MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a5ee7a7accc9dea18429c75f62db226599e96d50cdf5f1fec7d5e40881278b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a5ee7a7accc9dea18429c75f62db226599e96d50cdf5f1fec7d5e40881278b2
SHA3-384 hash: a5f4b76c2644f0b611d09f808b426ff80fa125b0a37300ccea26b6b9186fa8b88cbe94002b5dcd91921bcfdbb439b5ea
SHA1 hash: 504a431a59ed456c1569fc23c419b66ea9d3a8bf
MD5 hash: f9832ed3139e752e17c7ca2c34be3f8f
humanhash: georgia-yankee-blossom-three
File name:MRS-KNRP-6842FT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:690'176 bytes
First seen:2020-08-03 12:55:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aqIQWZBbUp1/MRzc51x2beTHANdv/7mfcOWn4g:uVbaacjx7THA7j
Threatray 1'029 similar samples on MalwareBazaar
TLSH 56E4BE2C3BE0855AF55A0F7E5C3251429D34F84BAD2BF38F25B1622C48BA79C9C41F66
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: hameedentr@cyber.net.pk
Subject: Request for Quotation for MRS-KNRP-6842FT
Attachment: MRS-KNRP-6842FT.pdf.gz (contains "MRS-KNRP-6842FT.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37818/
Detection(s):
SecuriteInfo.com.Generic.mg.f9832ed3139e752e.17706.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/407901
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a5ee7a7accc9dea18429c75f62db226599e96d50cdf5f1fec7d5e40881278b2/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 12:57:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljpopj5mzso6ugcctr27mlnsezmz5fwvbtpv6h7mpvpebcaspcza._file
Verdict:
malicious
Similar samples:
17b3763eae8262957e49956dbc63b57ba57ce91b49bc7d538dc1e01cabd52450
AgentTesla
275537d87441c354b859273e0729177d78f185bebdd9a86fac240a3f168a80a3
AgentTesla
4068afbd6b271b237f97b260260971d8d2cb6b7092687eabc56e3353567f3d50
AgentTesla
4f965aee8b694528d2d11d5a80eeee466959650ffcd12b5f0fc28d3a11709e27
AgentTesla
6f2ed9ee33724651d7fb52edc4dbb3bfde3c19ca12cf5e990952d392305d1c20
AgentTesla
7a61df23e0402188ffbcd17806396f8e71d86e4aae0ae57a3d70a4b83195c01b
AgentTesla
946bf0933ae9952f715bb7405c52fe8ec4ef71bc5ace58859b1c3ae8d93e253d
AgentTesla
9aacf7241d4ac98976ece20663fe83d6b5f13bfe98b597ae02ed5d39614b9c16
AgentTesla
c523252072f5911950614d6a91d16036b0128c10458f05a4ab0b7a3221780c1a
AgentTesla
ec0f65afbe2adb5bccb4d4b0fa58353791deb99e42a2583828442a68af1cd235
AgentTesla
+ 1'019 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200803-9jvbas8qns/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a5ee7a7accc9dea18429c75f62db226599e96d50cdf5f1fec7d5e40881278b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 4a8ed2dafd6e64965df912fe487ca70e1d838f4d9ce924942b271d8bd5576bb7

AgentTesla

Executable exe 5a5ee7a7accc9dea18429c75f62db226599e96d50cdf5f1fec7d5e40881278b2

(this sample)

  
Dropped by
MD5 8d5f1424e44d81cf80e25992f16bb034
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37818/
  
Dropped by
SHA256 4a8ed2dafd6e64965df912fe487ca70e1d838f4d9ce924942b271d8bd5576bb7

Comments