MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
SHA3-384 hash: 5b9adc0fa7ed3f7698dc4933fcb4d146a5aef58cd680c0af0a3c5b4dc3e8adb8daa0c7c5d5a5a7da41518bf3a0082b3d
SHA1 hash: 65595cdf910a4a4e0ff6c64e595e2a3407998ecd
MD5 hash: d8cb7bfa3530b89365eabaa3969728c6
humanhash: illinois-jig-nevada-fourteen
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:651'264 bytes
First seen:2020-10-15 18:38:24 UTC
Last seen:2020-10-15 19:41:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:BfdywfE/uniPXkl9Sac/GjBNoSM9g1ZGMhZ935VdjShCek5v9+d:2w9iPsAaprog9ZZ5GhCeuA
Threatray 594 similar samples on MalwareBazaar
TLSH 8ED4DF35BA99AF14F07D5B37A8F4406483FDED46A721C61F3EE136CD1871BA40622B1A
Reporter FORMALITYDE
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71573/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.12007.27150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492941
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 15:04:39 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kalxthsikrminlejnuby4puxa35gl64kqzcl4cdze6p6mcg335ta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ba1cd5068eb222e21bf0f4799f531c5dc07849d4920d3410a78b4aef0559ac8
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
3d281e94d3e3d6dc20818716a5b45e09803a5e8cace71615d950d086b563cc40
AgentTesla
3fdeeff9063421be07d09d4e1af9d7051e036ca556749cd82aaf6335593f7dc9
AgentTesla
757d376a5edc5d260ab3fb209797dbbdf3ce43f6331432174b1398f14e723e20
AgentTesla
8698337edbeaff1bcd719babffa69ff876d5ee74349886e5cba349b7cae7e19f
AgentTesla
874d56e400622b93fb1606b348a4fc41c112de5c69cc13ef0845d378db9ef6a6
AgentTesla
bd5f6e5567639e5e1c4619a02ff2db2eb3242cd6e25e50f7b7559202fc7f061c
AgentTesla
e6793974644f3523b0e79add22e915ae65bcda618b397dd42a6877d2b3e9e2c0
AgentTesla
ffbc4a39ad58fc82025ec9dd1abcba049dc7c66a1ccb8b71fe2171e65f41b526
AgentTesla
+ 584 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201015-qk7b44j7qx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9d35e81ecf56d9920d3dfa62fd8a295b867e831d96293ed2ab0504e47d8e84ec
MD5 hash:
412fd452178d03d246e069357a99bfdb
SHA1 hash:
958969cd3f05163f28f1533d86f7ef95970a3209
Link:
https://www.unpac.me/results/ae8f5db7-a89e-46a8-8e1e-e046f686a6b6/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/ae8f5db7-a89e-46a8-8e1e-e046f686a6b6/
SH256 hash:
2a8eb1ffd2147e886eb916da4b7382f02a59d2bd3a7cda265ec9708af7782118
MD5 hash:
4eb94477d9cbf52d1d8ea1936e8eb4b9
SHA1 hash:
ed4f5d4bdbadbc267be0b6020ad32eb6bf94d862
Link:
https://www.unpac.me/results/ae8f5db7-a89e-46a8-8e1e-e046f686a6b6/
SH256 hash:
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
MD5 hash:
d8cb7bfa3530b89365eabaa3969728c6
SHA1 hash:
65595cdf910a4a4e0ff6c64e595e2a3407998ecd
Link:
https://www.unpac.me/results/ae8f5db7-a89e-46a8-8e1e-e046f686a6b6/
SH256 hash:
965c356a75aaef88d94392ca5c0d25440c601a3970efbefc52599a66431214f5
MD5 hash:
8ba956b7314d1ee23dea412673fb2ff6
SHA1 hash:
3f99ebaa02870a76269c73969b74b852b2c906c4
Link:
https://www.unpac.me/results/ae8f5db7-a89e-46a8-8e1e-e046f686a6b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71573/

Comments