MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a
SHA3-384 hash: 31833d9e9d99c2ba572c95c5b218a434e1281a0c03fd7f345eb9792e4918712c4c878516c64859fa7997fafe24527a7e
SHA1 hash: e599740146f97a40da77c43037dd0d884ed50f4b
MD5 hash: 67f9a195fc43b629b0a9a7c463c42ac3
humanhash: king-bravo-network-india
File name:shipment_document_draft hbl_36243526.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:551'936 bytes
First seen:2023-04-14 06:11:12 UTC
Last seen:2023-04-17 13:08:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:x9ljbUPQDXPB4Sh1e779KLRoEHFTr58VLHomULeZJFynywJx:NQQDXZJEhooMh5AImULeZJCHx
Threatray 2'062 similar samples on MalwareBazaar
TLSH T1ABC42321721C4721E83DABF6105607224BB72A1BF53AFF6D5D9DA1EB2B827610740F93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shipment_document_draft hbl_36243526.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 06:13:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/575cde2f-7dd9-4ea2-9cfd-c7f2624026f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382177/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6438eeb4b4ec50bace6021bb/reports/1f9975b9-81ee-4f34-8c07-8538d5391e82/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/344901b1-ea12-4052-98f5-3d9ea275155d
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213674
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ke4sc7ygubwi4hwqpxdjrzdgou2xpqnv3dcux6p3nggrhxyzwmna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
AgentTesla
22966ba42f0a0adda0c87caa3aa1b8b9fcc8537081b2a6c2791df3b37a4ca5cf
AgentTesla
349fada4859b8ffa4c690af723daa16669d6fa2b9f5ec51111adee2e8cb63748
AgentTesla
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
AgentTesla
655260800846128f96bb9bd7e4926711a5b75df01f36ae7dfa5b2197f1105f67
AgentTesla
935a2843dc01d80582184dd6aa77fc2f4c99aaeb48b9dfef6a1e1df2e927feda
AgentTesla
9c2c8761ad2b6ff1f1210799eb5235fe597150650e7d593c65a55c39185f4acd
AgentTesla
ced049b334ce9d4a11a333eb078271f027d2b64fb3d00760e17ba355ad8ae057
AgentTesla
d44d7cdd0f94710f6b72db3b98f5742ce9be0869f22bab9aaae8f6aa923c73d2
AgentTesla
ee734d6d93d42624ffd7f363f3252ee46cfbc5b6adef174447232605bda7d607
AgentTesla
+ 2'052 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230414-gx7mmagf22/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
022de27797ad907f38356d85bfba612515f93fdcc357377e918e3c0fa19a82f5
MD5 hash:
e626eed502220e346217a6a67102899c
SHA1 hash:
f022a910ff2b1bc2282c216af70ce7ef826a139f
Link:
https://www.unpac.me/results/f5a1d3ec-1240-480c-9940-31ccef260093/
Parent samples :
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
475bd18814dd4181d931894380857accd1428b171ae2f077a6b706411a0005ef
ebe78c5b5c43e135929a0e4d64b63a8707f90e9c1de2fd46ae36d67098d2a559
2736bb21fab5703708ab49c3f24660ff1e8f2fc8745ae19bc422f5e6aff5f5d8
d77497cc30720ab4a1b768d7f20e4e3697fe53c06bd151b6c988ee903e0b6cff
ca5fb8c65adb08fa65191c8c9fd1884cbb730afcff6c9231684bdf6b3a1b6fdd
84652d3181fc4dfad881b733e96b9181c2aa8bf5d3257781228613419f7583a2
72d5d936fa25c900e432099c68cabb79f4637ad70b19913494fd9f0e7534a3fe
a907c4b91d636f9cd26d83b87d50633f1848f9c4c5bb8c5c83b50f0c2dcfaf35
0dd26f6dce309836b816b12516eb74464d844ef234c52e2e0c4bfc46e5ed067f
88c781e6e6adf31e3e128be59b2d85d3e1f06a21cb7ff657e6484f2d6f9e6559
06fbce2c06c6be78142bf529523adc5fa803282dde64baf75861ddfd325dc666
84b007fa05a8254769962daa7fffecfa810cf65414f5c31134ad6b4f6ed0d85c
472336b7af69430e9e8597a1c143d45fb5759d1a58b8055db6cdc862b54c0122
SH256 hash:
ff7f9fd711f273befc1d640753def8c2c79be764b97c51cc3ff4708431883ba0
MD5 hash:
705e3c8471d7db4b18a9a28f2dcce1c2
SHA1 hash:
c193724e4518741520b89a0ef0b38b7458ba40c6
Link:
https://www.unpac.me/results/f5a1d3ec-1240-480c-9940-31ccef260093/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/f5a1d3ec-1240-480c-9940-31ccef260093/
SH256 hash:
01c3353826a2c8724d5c3ffb7002017cec8347914c20cfb20e3d854eca2451ce
MD5 hash:
b68791852212edc9cb138ed59d3ee116
SHA1 hash:
40c4bdd3f321d32f4ec5a5483bbaa0760c4436e0
Link:
https://www.unpac.me/results/f5a1d3ec-1240-480c-9940-31ccef260093/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/f5a1d3ec-1240-480c-9940-31ccef260093/
SH256 hash:
5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a
MD5 hash:
67f9a195fc43b629b0a9a7c463c42ac3
SHA1 hash:
e599740146f97a40da77c43037dd0d884ed50f4b
Link:
https://www.unpac.me/results/f5a1d3ec-1240-480c-9940-31ccef260093/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5139217f06a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382177/

Comments