MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5e0aca5108536d030a5ca781ae1610f8868d67082e35bf3ba3123f333dd27a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5e0aca5108536d030a5ca781ae1610f8868d67082e35bf3ba3123f333dd27a3
SHA3-384 hash: fa91b2660b3b089b155d530f8a5b1f7a4d990176a1797798832daf3426d7938f87357edfd2e4635194a07d150c3fef77
SHA1 hash: 91cc7cf70e51bb4928be901930af38442ab7bbf0
MD5 hash: 8c16b839c6555d127b62f03c0008c572
humanhash: hotel-potato-mobile-delaware
File name:RK- PO No- IPO-202010.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:512'512 bytes
First seen:2020-06-10 11:18:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Eboave0mdEyBHMaJVoLScSeO2hFStFMqt4BUBZGb:EX1mdZML2cSAhFSt/
Threatray 11'036 similar samples on MalwareBazaar
TLSH 0CB4BE9D7650B6EFC82BCC7289A92C60AB6075675317D243A44312ED9E0DBE7CF112E3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp-7.skok.cz
Sending IP: 77.78.76.134
From: ESMA - Purchase (Orders) <import.orders@esmagroup.com>
Subject: Request for quotation: 200326 RK- PO No- IPO-2020101Dated-08/06/2020
Attachment: RK- PO No- IPO-2020101.img (contains "RK- PO No- IPO-202010.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Barys.53615.11410.18274.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 11:20:06 UTC
AV detection:
16 of 48 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxqkzjiqqu3namffzj4bvylbb6egrvtqqlrvx452ger7gm65e6rq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cfd5099c6a8bf03aea60b09f4e7b829eadfcc1c0cc55f2c8bfbae01c03e56e2
AgentTesla
2c15880ab47cd785c59229616789de898380c42f6204d926409184c32543cac2
AgentTesla
4106d7796887912eef46c78f6f62593d12152ae114e6e67c004afcaddb4296f5
AgentTesla
6985c2ba8fba688c19a243e559038ac05a5210ac6a672f9d99be9e2e90aacbd4
AgentTesla
7b9bfaeb2e623f343b43548eb6f2de716a574176017eceb837b941aa316cb16e
AgentTesla
98f14edea3c84946787d020e97f6b161cae2ed419e458434413626b9893c6f62
AgentTesla
a7123dac2bb5666fff067c25b1735f32ec01edc57d44742db25bc80f770a2d27
AgentTesla
b32e124d79e22d6fa01bea107ce49b5247629f4c4be8b27242887f2151d9ac31
AgentTesla
b378c93f686fd1aa1b5a01eee4baacb4b664a52714ddb6729c31204a052ee4d3
AgentTesla
d0be07347ce319cbce0fa252c4a030834dafe118c2ea50a6e05951ecf06b20da
AgentTesla
+ 11'026 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-tlxgcyfr5e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 53cb84f73201c82ddd70f2b1e17cfe1bd1e929804903729183c3ec480fc4f073

AgentTesla

Executable exe c5e0aca5108536d030a5ca781ae1610f8868d67082e35bf3ba3123f333dd27a3

(this sample)

  
Dropped by
MD5 a39a2ce45c2833f7d70cb01b8657b93e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53cb84f73201c82ddd70f2b1e17cfe1bd1e929804903729183c3ec480fc4f073

Comments