MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c5ee28286d91164ea32239ff0fb8471aa8b0d3cf22fc2bd3b03e23dd0b48da9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c5ee28286d91164ea32239ff0fb8471aa8b0d3cf22fc2bd3b03e23dd0b48da9
SHA3-384 hash: c21f72c2836fe8c3e0b47d4016072bbb95ff8a22af779035271ffc1eb5289d86049911150e740757df38c5d7245e4814
SHA1 hash: 79485017314ae8363722474efda3ccc4b872f90d
MD5 hash: 99924c188b3283d6e94a2f2a89ddc6fc
humanhash: arizona-nevada-potato-oregon
File name:99924c18_by_Libranalysis
Download: download sample
Signature AgentTesla
Create hunting rule
File size:686'928 bytes
First seen:2021-04-30 12:00:52 UTC
Last seen:2021-04-30 13:12:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:MNKpF5JJFfyrxw1cq0OhgKwUnqkCGulhDzzaCvZAA:MIpF5DFfjgKwU+TzaCr
Threatray 4'990 similar samples on MalwareBazaar
TLSH 5AE4CEE5662C5BC3CAF10E75BC0692407A743E1176C6E24974F9276E37F63EC9108AE2
Reporter Libranalysis
Tags:AgentTesla


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147385/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.25158.7990.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/704789
Signature
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c5ee28286d91164ea32239ff0fb8471aa8b0d3cf22fc2bd3b03e23dd0b48da9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 12:01:14 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drpofaug3eiwj2rseop7b64eogviwdj46ix4fpj3aprd3ufurwuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1341772a87e26adea4e68c01f271a58de067287d5da8135063008942a507e40b
AgentTesla
294d3baa6d4e6b9d6e55fd9c67072d0d27f3786a4abb6b27c32fa977778fd94e
AgentTesla
6118f0c08d35a0dacc436ecc89379620c5d966f7cba43a6148684dd4a06c81ad
AgentTesla
7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5
AgentTesla
92d9b1922bebbb60f7ca75eb99220f92bbdf687af32a4a966ec90fd562dfe96e
AgentTesla
9d2456c99b93373a3c4aa7704bb02363336af433de86dc7c6ff5361dd05216fa
AgentTesla
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
AgentTesla
b1f530942db69e2f7a2823abab2ecc03eaed957101e7e6a7b53af823765df3a7
AgentTesla
e3dbadc32e9e198eb9c03b3c8a29bb4569838eb7089ed761aea6a496eb8f8157
AgentTesla
f65323315d4aa2337e4f0de17a502148da38c93012e0bf91fe6b70ba88d03d56
AgentTesla
+ 4'980 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210430-j9rwla2r8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9a508a1b779271ea056ede9de7ea84edf60491fb0bcb57e14d9e44da2317b53c
MD5 hash:
79bd50786a6a63766efa2c5b1261e2fa
SHA1 hash:
bdd03137edd8b08bdfc7f81dbbdc4993d4b21d80
Link:
https://www.unpac.me/results/a1a2a976-b0ce-4f21-b4af-5728a2693b6b/
SH256 hash:
11f7d40424080edc29c286b58bc49a1b8596654aa18a931aa9e6f9db09afe65d
MD5 hash:
f2c9cb2f1b2ddf8243df327995e163a1
SHA1 hash:
53a235039ecb211d5b8c7be938984885cc740b2b
Link:
https://www.unpac.me/results/a1a2a976-b0ce-4f21-b4af-5728a2693b6b/
SH256 hash:
1c5ee28286d91164ea32239ff0fb8471aa8b0d3cf22fc2bd3b03e23dd0b48da9
MD5 hash:
99924c188b3283d6e94a2f2a89ddc6fc
SHA1 hash:
79485017314ae8363722474efda3ccc4b872f90d
Link:
https://www.unpac.me/results/a1a2a976-b0ce-4f21-b4af-5728a2693b6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/1c5ee28286d91164ea32239ff0fb8471aa8b0d3cf22fc2bd3b03e23dd0b48da9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147385/

Comments