MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05b02bf04aa6fe86594dc232319e9f2b6a42d60f8a51f6ca41d1469cedf48362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05b02bf04aa6fe86594dc232319e9f2b6a42d60f8a51f6ca41d1469cedf48362
SHA3-384 hash: d7016f3f8f00f742e50bde286d2659f186cff5399e7346f9674253d98d9a6391299599e8061fdd7f57154884d6abbf30
SHA1 hash: f2dc0bc0ca663f8679e8388ad84d9ea6f224dfa3
MD5 hash: a9d3db84998a889caacd77e92c3e55b0
humanhash: wyoming-zulu-black-potato
File name:PRODUCT LIST.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'052'160 bytes
First seen:2021-02-07 07:37:39 UTC
Last seen:2021-02-07 09:54:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:XgXoZi970AuR5CQFqzZUkI523cJQ1rRc7maGTkp64KhDrejwJFOm3zyTCIEjdjZH:QoZh5CQqUkJv6mLe6lDajeOm3UpEj
Threatray 1'134 similar samples on MalwareBazaar
TLSH F525CFAC365479DFC913CC76CAA85C24EA64657B570BD20390631AEC9E0DADBDF041F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: CONTACT <sstc786@cyber.net.pk>
Subject: URGENT REQUEST
Attachment: PRODUCT LIST.zip (contains "PRODUCT LIST.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRODUCT LIST.exe
Verdict:
Malicious activity
Analysis date:
2021-02-07 07:43:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d4990ea-f8da-402a-8290-1d747374b20a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115951/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36309591.7379.4950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/601212
Signature
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/05b02bf04aa6fe86594dc232319e9f2b6a42d60f8a51f6ca41d1469cedf48362/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-06 15:26:28 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=awycx4cku37imwknyizddhu7fnvefvqprji7nssb2fdjz3puqnra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c63fa7373f5f711ad83af0599a16ab33fcc40533c1b0d1ee7f0d0075b9ea079
AgentTesla
206ffd0bd61efa5d7555466690e7e20ee7bcf6f8e45323bb1bb01b85073bc77b
AgentTesla
2634fb80e3aae92bb4b0fa252d7be8242629a9dbcd14301b0002e8d1bfc8b420
AgentTesla
48e8ff87262aacbe6b64962d5703ddf042e51bd5cd099bc787923ab33f172ccb
AgentTesla
5176fa6f4f5ae41f1c9b066d0b746e5002b3dbdaf8aa2ce6aa19e1cd630553c8
AgentTesla
7d2175ba67b2da454b87aa349a4a889769e15c2629ad28642e7853881ec433d4
AgentTesla
b90e0056190e4d819c069fc8577ba24a335caa720e88ee28317712005b735999
AgentTesla
d0a30f40bc29f4282f79ceb0f3391ee6b77d3837fdc1bd3208c4ad2ed392940c
AgentTesla
f244f6da6d9b7a0ea77263b09aea044a5175da9fbdf9300f80fca1de1e81646f
AgentTesla
fca9c9be14541217929d625dd1efd04139b501d120a9a7a5b299fcd2a34973bf
AgentTesla
+ 1'124 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210207-yvvjxj22ss/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a84ef9933a12f4114115aaff05052082c98ae222ad5dbae59750eebde38ee3e3
MD5 hash:
c6a1c737f33dad995a47bc97fe016f02
SHA1 hash:
f860386ebfdea9327401c1e2af079b481f3687be
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/71477b4f-b7f1-49bd-b9b7-c9a10f88cd9f/
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/71477b4f-b7f1-49bd-b9b7-c9a10f88cd9f/
SH256 hash:
013d10dc339193c6491e82d5939f8b249a5722349d99ced0cb315b60aba0bd49
MD5 hash:
a30c24a45acc7b642d4ce503de97668b
SHA1 hash:
a783e4cda7ba16cb5b2a91d2ed6162938b1a6e28
Link:
https://www.unpac.me/results/71477b4f-b7f1-49bd-b9b7-c9a10f88cd9f/
SH256 hash:
05b02bf04aa6fe86594dc232319e9f2b6a42d60f8a51f6ca41d1469cedf48362
MD5 hash:
a9d3db84998a889caacd77e92c3e55b0
SHA1 hash:
f2dc0bc0ca663f8679e8388ad84d9ea6f224dfa3
Link:
https://www.unpac.me/results/71477b4f-b7f1-49bd-b9b7-c9a10f88cd9f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05b02bf04aa6fe86594dc232319e9f2b6a42d60f8a51f6ca41d1469cedf48362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 21a79da30fc086d107f410a3b00c78b5b48221704911efc8fcaad4b113d1fee0

AgentTesla

Executable exe 05b02bf04aa6fe86594dc232319e9f2b6a42d60f8a51f6ca41d1469cedf48362

(this sample)

  
Dropped by
MD5 f973c454c76b16f21e3b361da2954e58
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115951/
  
Dropped by
SHA256 21a79da30fc086d107f410a3b00c78b5b48221704911efc8fcaad4b113d1fee0

Comments