MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5061c37f3da83ecc313ca31367f4217866a7b0cd7e2f5ea982497ac498e18e71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5061c37f3da83ecc313ca31367f4217866a7b0cd7e2f5ea982497ac498e18e71
SHA3-384 hash: dc3e6156484349e1bdac768add173e14383ecb5df2d2ecbe07ee88cc03663c9a52c31457048346e5a096056e79d6ca25
SHA1 hash: b029a9c3082e9eb242354b631391cb525349bc96
MD5 hash: 359560373daff1db7303af2249f27d09
humanhash: vegan-lemon-bravo-whiskey
File name:BANK REPORT AUTHORIZATION LETTER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:860'160 bytes
First seen:2021-08-27 13:04:02 UTC
Last seen:2021-08-27 23:51:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:11UEF/uJdCqanYAtSOfZha2e8cQ1QuWr:8EduJXanYAtZfZTemGj
Threatray 9'022 similar samples on MalwareBazaar
TLSH T109055D3D29BD222BD1B9C7B5CBE0D833F0549DAF3111AA6464D78B6A5352E4235C323E
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BANK REPORT AUTHORIZATION LETTER.exe
Verdict:
Malicious activity
Analysis date:
2021-08-27 13:05:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b28f7262-1584-40bf-842b-d4d72eaad63f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182927/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa5adc2b-4155-4562-83d8-16e25f236da7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840404
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472835 Sample: BANK REPORT AUTHORIZATION L... Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 10 other signatures 2->59 7 BANK REPORT AUTHORIZATION LETTER.exe 7 2->7         started        11 newapp.exe 5 2->11         started        13 newapp.exe 4 2->13         started        process3 dnsIp4 41 C:\Users\user\AppData\Roaming\QIPsjuJ.exe, PE32 7->41 dropped 43 C:\Users\user\AppData\Local\...\tmpD542.tmp, XML 7->43 dropped 45 BANK REPORT AUTHORIZATION LETTER.exe.log, ASCII 7->45 dropped 69 Injects a PE file into a foreign processes 7->69 16 BANK REPORT AUTHORIZATION LETTER.exe 2 9 7->16         started        21 schtasks.exe 1 7->21         started        71 Multi AV Scanner detection for dropped file 11->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->75 23 schtasks.exe 1 11->23         started        25 newapp.exe 2 11->25         started        51 192.168.2.1 unknown unknown 13->51 27 schtasks.exe 13->27         started        29 newapp.exe 13->29         started        file5 signatures6 process7 dnsIp8 47 smtp.tssssdomain.com 16->47 49 us2.smtp.mailhostbox.com 208.91.199.225, 49732, 49733, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->49 37 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->37 dropped 39 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 16->39 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->61 63 Tries to steal Mail credentials (via file access) 16->63 65 Tries to harvest and steal ftp login credentials 16->65 67 3 other signatures 16->67 31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5061c37f3da83ecc313ca31367f4217866a7b0cd7e2f5ea982497ac498e18e71/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 11:54:14 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbq4g7z5va7mymj4umjwp5bbpbtkpmgnpyxv5kmcjf5mjghbrzyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
090b379ffd22f27e1070c2f56d6a7833a6f04451cd4b065571dd2e04e62faac5
AgentTesla
0dde386d301256d9f11d4003d0ec036be32ab0ffa411a2183b137b6f7782f162
AgentTesla
37211ea70920adce4d2704187d8f45233724e84c2dc18158387da8bf2e94eee0
AgentTesla
4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16
AgentTesla
68c82784182c8cbb7e3106e1df62a90619357c509825b0c8cb3d6c92b6806817
AgentTesla
74e4fd16559937ee0b609eb858531a442c7fac27651c6d9b5ffc262b7fe3dcd4
AgentTesla
80ef601f22b023786e457852b1723ef80952ea8e2f98f1e387bebe043bfa1d59
AgentTesla
88519e68f6222e17f3490e6448f5fa0c92acee69133566472ff168c23298e5d9
AgentTesla
c41bf14b438d450a2ffce8a02c50adfea59c08f5b03d1d4f240cce6f44a7886b
AgentTesla
+ 9'012 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210827-15zlgrsfnx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/13250f05-6792-4d5f-bcf4-a6228bfd28a4/
SH256 hash:
caac6ba746e7a47ae25d50834a60a10e204edb7149f2280c6b38135735e5837a
MD5 hash:
ec4e2955f3284f9d085ffc9f4a8cab44
SHA1 hash:
a2b4cedc5dd124c1f45f88c86d145edeeec30d32
Link:
https://www.unpac.me/results/13250f05-6792-4d5f-bcf4-a6228bfd28a4/
SH256 hash:
6b5515f78fe4d309ec039d3e6186c077f6b111b8970bd4cf1382377435f8e79f
MD5 hash:
2d1005bd10097331a6badd0401065d17
SHA1 hash:
0a26c4f1a3e0cbe3864b86cba08dc8c6074a5335
Link:
https://www.unpac.me/results/13250f05-6792-4d5f-bcf4-a6228bfd28a4/
SH256 hash:
5061c37f3da83ecc313ca31367f4217866a7b0cd7e2f5ea982497ac498e18e71
MD5 hash:
359560373daff1db7303af2249f27d09
SHA1 hash:
b029a9c3082e9eb242354b631391cb525349bc96
Link:
https://www.unpac.me/results/13250f05-6792-4d5f-bcf4-a6228bfd28a4/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5061c37f3da8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5061c37f3da83ecc313ca31367f4217866a7b0cd7e2f5ea982497ac498e18e71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182927/

Comments