MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5133f50e4eba6506c9b0236ee2b881301886ab8967b75316d9b259063ca1a2dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5133f50e4eba6506c9b0236ee2b881301886ab8967b75316d9b259063ca1a2dc
SHA3-384 hash: c6051df5dd26495eca1b22031a85fb82e49770053aa1d7c622c0c2eb3c30a2baa2bd2e825e5759e3bf355dc82b042fe2
SHA1 hash: 2157d11a88c79dc175177f52a0e9e8a86a02d90f
MD5 hash: 3d217e1b48eb19a781ff9faa3834ef19
humanhash: autumn-three-cold-sweet
File name:PO8985542021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:588'800 bytes
First seen:2021-06-16 05:46:33 UTC
Last seen:2021-06-16 06:48:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'660 x Formbook, 12'251 x SnakeKeylogger)
ssdeep 12288:7EvkOvegwFO84ZwxDZUdC8Tvn8EDKGJysb8zJ4gJNoN:74JexFEQa88L8nGJZI2
Threatray 249 similar samples on MalwareBazaar
TLSH C2C41263FA50FDD5D0590077D53392801B61DC2DC3A1EB3BA0AE763639B2357D68AA07
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO8985542021.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-16 05:49:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/11347067-249e-49ff-836b-f81f0b5a6772

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.2623.23396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9352247e-aa22-4392-ae99-9f402f2c23f9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802800
Signature
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5133f50e4eba6506c9b0236ee2b881301886ab8967b75316d9b259063ca1a2dc/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 05:47:16 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kez7kdsoxjsqnsnqenxofoebgamink4jm63vgfwzwjmqmpfbuloa._file
Verdict:
unknown
Similar samples:
060685f00b5569a8d8e1d58a2e50dd7359833e8b6c12ffabb0ce02bb42c5db53
AgentTesla
24fcb2c5bee18a1ace6dca1924a4fa86d0840a29ebfebd271a4f1399e758a895
AgentTesla
30f3eecdbc1298dc6ba731ffc775390ee61b2bda813ba8f7763c9c39293ce33c
AgentTesla
3b463cccd70c11b6e8eb2be3e16113db9fc9268367c70210c49b7ef80e29d3d1
AgentTesla
4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d
AgentTesla
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7
AgentTesla
b65eed317058df5ddd4247ec93ac2b555ae2c29b751ee455ceee3dd9b670ecad
AgentTesla
d1497a0b392b283ffa3cb0044a2c559288fe268296333d902556c3d0688fade3
AgentTesla
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
AgentTesla
f4c976f3587362c6138a4dd309aabf2ec5c31f0ebe98b4618a2f52f145ce4a77
AgentTesla
+ 239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210616-72sjhafhla/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
955e554008ff6e7996eb82e247262508ce921337291d5b307929b88ffefb9771
MD5 hash:
1195e1a88774a6b8378b881e0217b8e5
SHA1 hash:
f1747d98fdd84a2570e2c67853ff161fdbab7927
Link:
https://www.unpac.me/results/e3e4de14-5fb8-493c-89df-a2350eb69bd1/
SH256 hash:
6b8f50cbc32234048c0d87b9dffed33f50948b9011b0c690ffa5ce71ca4758ee
MD5 hash:
f7cea29f3fccb2db0d528484e5936e4e
SHA1 hash:
8cf0e9234106cfb3cbf0ce672b22325a5d3d001f
Link:
https://www.unpac.me/results/e3e4de14-5fb8-493c-89df-a2350eb69bd1/
SH256 hash:
0fc46d70a426d7ab0dce3896f7be0d9a2c4ef77ba4192b209fbd07a6d4ada708
MD5 hash:
a915e698eb18652ee7e9eb6f02fa2948
SHA1 hash:
18b31c8b3afe6e564bc29e666eea1fd333511842
Link:
https://www.unpac.me/results/e3e4de14-5fb8-493c-89df-a2350eb69bd1/
SH256 hash:
5133f50e4eba6506c9b0236ee2b881301886ab8967b75316d9b259063ca1a2dc
MD5 hash:
3d217e1b48eb19a781ff9faa3834ef19
SHA1 hash:
2157d11a88c79dc175177f52a0e9e8a86a02d90f
Link:
https://www.unpac.me/results/e3e4de14-5fb8-493c-89df-a2350eb69bd1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5133f50e4eba6506c9b0236ee2b881301886ab8967b75316d9b259063ca1a2dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5133f50e4eba6506c9b0236ee2b881301886ab8967b75316d9b259063ca1a2dc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments