MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5d1d457a00cd4dcb87cb66584613857105c975eb44d98c046f13c57c627934b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	b5d1d457a00cd4dcb87cb66584613857105c975eb44d98c046f13c57c627934b
SHA3-384 hash:	1ef6783afa31af1cb97b29500b6afd032c9a4ec5696e04148d2b376793f7eb20ccc9792a00836a469ab4a0a9fe95f772
SHA1 hash:	c7c7e98afd2bbc90d75633b03916c826884c9125
MD5 hash:	3922baed256905ad1f93320e5bb5b899
humanhash:	fifteen-nitrogen-ceiling-uncle
File name:	Quotation.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	583'680 bytes
First seen:	2020-09-01 04:56:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:KSYkMeE8qiwkZJ6e8dMXTuB4uo8WxnJLEZzbDiDC60hp7o6T+oNZqF4:gxen0kZb8dMqo8SLiz
Threatray	83 similar samples on MalwareBazaar
TLSH	58C422322ABC87A6E5F509F1082E390DC374665F58BEFBE95D9672E583F13848334642
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: vps.confidencegroup.co
Sending IP: 162.144.59.93
From: Hunan Standard Steel Co <info@ocepasinov.com>
Subject: Re :Re :Re :New Order PO5293371
Attachment: Quotation.zip (contains "Quotation.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

98

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53794/

Detection(s):

SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/456138

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5d1d457a00cd4dcb87cb66584613857105c975eb44d98c046f13c57c627934b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-31 03:53:24 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wxi5iv5abtknzod4wzsyiyjyk4ifzf26wrgzrqcg6e6fprrhsnfq._file

Verdict:

unknown

Similar samples:

14ac862307f76bdf323ae2ae84ed2b46b35483202bf81031c716143343ba7b00

14c779eb9e7f6a3a77a4e0df7a8b64d7a74f7db8a7dede57dc5ce8936b83f5df

333bca520269ca114176493ed2b944cc38cea0bbf11844942f3b632bbe27378b

37677fa0c9255eb7368ce3d54a42e2b3e23eff33c6e2008406d9f32a71b565b8

545305810b041d0a1ea357652c1b98aa714b039c16af8d1d7ecdd8e513a59d8b

9ffb458e6d120f6d42906c102ce49ecefbe4a937d6b605a4d3a1b3a7dc15e627

ae386b6cfbca2ad61a9a4d642e99cd9bfaf9cf7fd647c2b420884df5f6692ddd

aea7319d67789e4e524c4af9bcb842d66593a97dff25cb4be43eee5f5fb86963

bf16393640303afe03a092d605a39a69d05158bce15d690128ef2b2103dfa5c7

f595019c294b2717aad61673e0214db90da5f880d5177c81b30f053004450a56

+ 73 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200901-7nd3jgh2vj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5d1d457a00cd4dcb87cb66584613857105c975eb44d98c046f13c57c627934b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 537f95b21e7632a35d0001cc80a8f3e0c2d31bba63fe67b7e15a7744b62f4cda

exe b5d1d457a00cd4dcb87cb66584613857105c975eb44d98c046f13c57c627934b

(this sample)

Dropped by

MD5 90df0c9d50c29b0de636aa846213ffeb

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/53794/

Dropped by

SHA256 537f95b21e7632a35d0001cc80a8f3e0c2d31bba63fe67b7e15a7744b62f4cda

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample