MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d45333978e4e002d9a5c293f6ea8e19a93154fc5e3a7401c793ebeda53588ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d45333978e4e002d9a5c293f6ea8e19a93154fc5e3a7401c793ebeda53588ee
SHA3-384 hash: 7ddd4db07b8442b3d2d6be770af177b04abb134040d46b385a225cce127673322e745975a75414b631fdeb72735ffc8c
SHA1 hash: b5df4c016acd04e5b8c06129bd915bfd7f94b48d
MD5 hash: 9f7b2a95c1e456d577a7d929705b4b86
humanhash: juliet-oranges-carolina-one
File name:PO-SW2000668 for payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:359'936 bytes
First seen:2020-06-08 06:54:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:kXT7UWbqeTUQD8h/EEc7knQanz4FV00M0x7QUGSK/tRFpjLTCvVkf:Q7UWbvUQgPc7Jy4bi0x7QUYRFpjLTMkf
Threatray 10'686 similar samples on MalwareBazaar
TLSH CB74E0DC7610369FC9AFD4729EA42C64EB6135B7831B824B906716ED9E1C9A2CF101F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: miamidade.gov
Sending IP: 103.89.88.225
From: Odetta Peters<opeters@miamidade.gov>
Subject: NEW PURCHASE ORDER NUMBER POSW2000668
Attachment: PO-SW2000668 for payment.zip (contains "PO-SW2000668 for payment.exe")

AgentTesla C2:
http://hojoomekhamoosh.ir/wp-includes/js/ji/ori/inc/331f6bd062ab00.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-07 23:51:00 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lvctgoly4tqafwnfykj7n2uodgutcvh4ly5hiaohspv63jjvrdxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04fd9df0e5ec9e9f2ddebfa497adbe3c57876dd52d8b778cee3701f21cf02986
AgentTesla
38c234dc0bd0297dc390529d3c11887b19219b76f5f279e8d3484856783f85eb
AgentTesla
3ec3af4549c4eb614c0adbe80eea39646e7b0de97e6ff1fa52c43e0fb2249560
AgentTesla
44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2
AgentTesla
5e095f19ee1f47f01ee5dad9828fef4bd1047feb4860765b5ac387b2ac371330
AgentTesla
62005a4721dc55f0752df55ca79bd85ccb46ba28a34d10d8f29880e087b69896
AgentTesla
77cd50a78f234331630b2a437f8b01a7cbeee5d74b0ac4f1a2a0399664ca3d00
AgentTesla
e6a9bbee2b3b1dec06bfcddd17711777d7d14171e9c180a7310f6bb9cabf6879
AgentTesla
f9ff810fb50e7715a0e84b16a0f8264d783e824e1770a59f7de37d32d40a0ae3
AgentTesla
fd05d0c54ccb0a7ac4c82e6ccf0c330c47de75c875e7f118e6f60e1ecf362183
AgentTesla
+ 10'676 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-lnsjnyw3gs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a0b4e3f87646b25bb024557cc50be91c68c3e06c0a6ba1de401ac0d9ec030a5c

AgentTesla

Executable exe 5d45333978e4e002d9a5c293f6ea8e19a93154fc5e3a7401c793ebeda53588ee

(this sample)

  
Dropped by
MD5 220380bd06b55ac6eaf0fd420cda877d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a0b4e3f87646b25bb024557cc50be91c68c3e06c0a6ba1de401ac0d9ec030a5c

Comments