MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bce10125f245dab9ac4ef1c0dece6313b43512e721f70f7c4846ebb23b1cdbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bce10125f245dab9ac4ef1c0dece6313b43512e721f70f7c4846ebb23b1cdbf
SHA3-384 hash: 9790e4b7c07e62e27e147f0dd71e44a095fa53c356dc0e2d9d8e13d0803bb6e45dead9fec283b31da7bb93b953e381ad
SHA1 hash: 3aa4c17824fcd98b484c433c45b38f6d2b4ef159
MD5 hash: 6336e549dbb8ac6e1a47f22bb41eedb5
humanhash: bravo-nine-victor-lake
File name:4435534411690.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:614'400 bytes
First seen:2020-06-22 11:44:13 UTC
Last seen:2020-06-22 13:10:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:HcoJJ6mUPU8PSYtEe4cDMXANmc6TD7obnaWlv:TJ/U80SaHNeD7obnaWlv
Threatray 10'730 similar samples on MalwareBazaar
TLSH 2ED43B2E3681B906D13C493244AA69906771E5437B02C30F7EC9E7AC6F12ADF7F462D9
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dv5.digival.org
Sending IP: 5.181.46.155
From: administracion@easa.info
Subject: Confirming - payment
Attachment: 4435534411690.GZ (contains "4435534411690.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12564/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.14183.30296.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bce10125f245dab9ac4ef1c0dece6313b43512e721f70f7c4846ebb23b1cdbf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 11:46:04 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lphbaes7ero2xgwe54oa33hgge5ugujooipxb56eqrxlwi5rzw7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01756885591950ce684aa986ed7da04c5b4cc98ecc9e919866071eda128b4342
AgentTesla
4a3cc5b8ceaffa6473613934515d9f5b96668a952f4103d177593b9041c650c8
AgentTesla
573535f4daf60e724e68c766dfa8ac52bb96b33d4bbe307e36730725dd0f40b0
AgentTesla
5ce4d4f2a15924f200619b7140bd99faad88758c0d0f0cfb4eb9d166fe2f41e3
AgentTesla
7a318843897566dc4f8db9db7d7d0d8c3a8a69d4de0ac7d59fe33b897fdd0b31
AgentTesla
8e06f5c0b680e598a1063b921faa1568b00608fae457fedc04a53bc4637977ef
AgentTesla
a2a8e595abb9d14bf0a84f49b0f81725925b19f14f0b06da5ab01b6eb4b9e7e9
AgentTesla
c7839a3137610ece15b06c73cb4e9ad2b7d175630c13717649974d1965d1235c
AgentTesla
eeac5a93cbddf4199153c4a54460b5c618c097814be44e5c2b57ad4255c8546e
AgentTesla
f077dec4e7550bb42ddcb70f5e8ffc4f9573579a31175726cb61669501cac299
AgentTesla
+ 10'720 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-czvbv3x9kx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

61e9553072d6e558e56a2b5492d81143

AgentTesla

Executable exe 5bce10125f245dab9ac4ef1c0dece6313b43512e721f70f7c4846ebb23b1cdbf

(this sample)

  
Dropped by
MD5 61e9553072d6e558e56a2b5492d81143
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12564/

Comments