MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d8dc0d20ebc682fdd90bbbb8eb0d57203557feca6a52a12c98816a387656315. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d8dc0d20ebc682fdd90bbbb8eb0d57203557feca6a52a12c98816a387656315
SHA3-384 hash: cfab45085c9ef939cff828fe2a9d524a5ca5b6292b5cf0e1daaceea9e11d72af08838b6eac566c110bd1950c1468f519
SHA1 hash: 6602c00f007887bd0cd23a16dd2461f61be9067d
MD5 hash: aaca4b0d1957fe6d3bf9e152ef7a4cd3
humanhash: earth-steak-zebra-hydrogen
File name:Quotation prices accepted with designs and images.jpg.exe.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:451'584 bytes
First seen:2020-05-13 07:14:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vMmokmvQfqyjIZliMF6wcukI+0UPcxdjWW4XC2niigg:EfkmYfuliMF9Fk23xlYCkidg
Threatray 1'781 similar samples on MalwareBazaar
TLSH 46A4121E7169BBFFD69E06F4A046918503F18C0696C2F3E94C9074EA7EB77D48513293
Reporter abuse_ch
Tags:AgentTesla exe Yahoo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sonic310-23.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.186.204
From: ricky0844@yahoo.com
Subject: Hello Supplier
Attachment: Quotation prices accepted with designs and images.img (contains "Quotation prices accepted with designs and images.jpg.exe.exe")

AgentTesla SMTP exfil server:
smtp.yandex.kz:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 08:07:00 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwg4buqoxruc7xmqxo5y5mgvoibvk77mu2ssuewjralkhb3fmmkq._file
Verdict:
unknown
Similar samples:
0157268340dbee3d5090f2793561e90f051ea1a1f160cb420eacbd5525a94b93
AgentTesla
26d84a58245ef7c47ef69c0b8a1d378ad6c8a3d8d154d2358ed0b16230082420
AgentTesla
5adb192079fbc16f4631d3e5c894d9bec1ed384e7be85742c4f076760eb64a0f
AgentTesla
64f0214a1438a825f551e2113d911ede56cfe3bb26f4e4003ac4bdb6cad3995f
AgentTesla
927ea99a59336bb821aa9062c686d43e3022224f56c6f34338218ddc6e165cfb
AgentTesla
9d78978a90924215994a1fc247c71d55f8480c19aacc76fed9c62cf27b3eb985
AgentTesla
b94b255e05a2792ad302c0c398099cbc6f6eb67212dd2c5fcafbe80a13f9b946
AgentTesla
ba6c27eedbe9c1152f8232f685600ec69ad11ada7b6e82db997e08d89a1b0385
AgentTesla
d0fc60d9720f689cf8ad3011239886d9fb2e1a35eda420291ead2c780a77a37b
AgentTesla
e13fe4c80bcb450b7b811fa218cbd3ccc6a483470d07877dfa283ad4ac0d1042
AgentTesla
+ 1'771 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-8hemhzp262/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 3ecf99b05ac2a578a8cf62c3325844bddc8434022247f629ee568cb236774b93

AgentTesla

Executable exe 5d8dc0d20ebc682fdd90bbbb8eb0d57203557feca6a52a12c98816a387656315

(this sample)

  
Dropped by
MD5 16343fc2267a42be2c64b3912becd870
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3ecf99b05ac2a578a8cf62c3325844bddc8434022247f629ee568cb236774b93

Comments