MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5
SHA3-384 hash: fa2e63ffd221566a51d0aaba85222446aa3d1493eaf7e7aa4e2f1e4fa6e5ff7d29ca6423c3d592fade0d588764410597
SHA1 hash: 4fcfb8ddc61e18c479109b660b7fcc266b700bf8
MD5 hash: 6942da375f003dcf5cb70035ade208d5
humanhash: utah-north-tango-thirteen
File name:INVOICE.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:590'848 bytes
First seen:2020-06-10 17:53:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:eBEEvnH78Nz2fKXADtc/8Z7hG3xomRcjCjh3mR1oCAyqlbtDgK:uEOY18ZWjcjC93mTH
Threatray 10'990 similar samples on MalwareBazaar
TLSH A7C4D00475D1AE5FC33E8DB2485718109BB096AB7E1BF3436CCB15D9142DFCA0A94B8B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zcs-mta01.frontiir.net
Sending IP: 59.153.89.50
From: Payment Foreign Reseller <payment@myanmarnet.com>
Subject: Fwd: SIGNED INVOICE
Attachment: INVOICE.pdf.z (contains "INVOICE.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.hc.21859.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 17:55:11 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyiqwrw3avhhwozocjmspepitz3nroxwlqqvygsxp3bac3b4qhsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2a9ff7b8ca6a12f714779ecdcd2d86ccf9ad03da04de4a45aa8c3c97b7209c8f
AgentTesla
3cc1efea64d7e6952a57ce58fd01afed8fdcedc58b553bd9090c63ca8fa8bf89
AgentTesla
532b875f09991cdf7b57db59f0f7aa579d49b229d65ad1ace9f67bf6ffc7bca5
AgentTesla
726e05271ef6a6781ecd7bd9b130e4621734c991160d820f0fdd61186f5fbd55
AgentTesla
872e06d165968c0548d362d26c3c05ba9c3f35fe1066c5623dded0dd7cbb92f2
AgentTesla
c39d2b521f5ad659826516372c61ccaa1bb588b2d7e05bc66fb069fb83feb4f7
AgentTesla
cb92c3a55b468097670d01ac7a21956dec1ef3cba7c4d880b027727e80f80478
AgentTesla
d5e25941e3d79faf029e3f285e3755bf6b40388af3fd3295dee7ce0289b6d13f
AgentTesla
f495df589f3d5ada5d486d3795de4ddf24d296ae6af572a635ad00c4ed716088
AgentTesla
fca57bc3188f4383efe5bfd8a6c0e3058273c7dca96ef9360f6290790f8883b6
AgentTesla
+ 10'980 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-dbyf5bwacj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 44bc14772c1c36d061c69f1bf92bc23bff572ecbf22051c7c61d6cd88ff4c778

AgentTesla

Executable exe 5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5

(this sample)

  
Dropped by
MD5 a353dda70d97ab7006cc5f8ad1a2c17b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 44bc14772c1c36d061c69f1bf92bc23bff572ecbf22051c7c61d6cd88ff4c778

Comments