MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf
SHA3-384 hash:	733d52f868898545c44b4a584f9d7a7e2796d130855ebccc6d48a608e46dd38e15258485dda8930da13c0a16a0a54a71
SHA1 hash:	2432af57eedc00acad83e4ee6a7d31728bcf7b23
MD5 hash:	82420dcd01217c8c75b4dcf1165b2a7d
humanhash:	mango-ohio-nevada-rugby
File name:	921009-2_Product_List_Specification.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	667'136 bytes
First seen:	2020-10-13 10:36:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:xaTkHdG9OcrTHvNEkCiY9JumKyPFaLAjlopgiR0sHdoZelIakVGp:x6O0P6zwnyFaUnVGp
Threatray	430 similar samples on MalwareBazaar
TLSH	CBE48D4A2F91AE0FFA2D4CB1C42D193C9291F11AB387F247D52295D87E4E36D9E021F6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

From: Matthew Birkett <matthew@simplesourcing.net>
Subject: New September inquiry
Attachment: 921009-2_Product_List_Specification.img (contains "921009-2_Product_List_Specification.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Bulz.95699.15111.18696.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/489512

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-13 09:43:18 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kmdmz6haohp23r2be53ev4jm4jrjlxvbfcq2opetcux4jjoup3pq._file

Verdict:

unknown

AgentTesla

4106d7796887912eef46c78f6f62593d12152ae114e6e67c004afcaddb4296f5

AgentTesla

5feefba742eecb4eb287261d0d1b3ffa2a44535d88496edbc85f15975a471eaa

AgentTesla

66428bc7e93f0c6e440d5d078506a28a53d5f65df1382b733206c68659076c84

AgentTesla

6b749b16961bf8b461c0865eaea4869ed9fefb393e2e5c367741b1cb0ce7ff1b

AgentTesla

75bf8cf9e7b9b06f08396a6d6ecf3bca428c00cd79e4b9bf6e56619b67d7c4de

AgentTesla

a66773bfc5fe5cfabc1ba18edbf514246699d37ccaace2705a8f4c0ecb6ee8bd

AgentTesla

d24bb55f5d9a39c42a96837653c4821ee9406d0896199db1b54cc3078b002547

AgentTesla

eda68de6706516012cda72a22a1e9e089d85ad324f47768bb982eea97836fd8d

AgentTesla

fc83ea48f38623db8af07e9dad3b2802bb49284ab2b69620eaf9a25f62177329

AgentTesla

+ 420 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/201013-285kddjdce/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf

MD5 hash:

82420dcd01217c8c75b4dcf1165b2a7d

SHA1 hash:

2432af57eedc00acad83e4ee6a7d31728bcf7b23

Link:

https://www.unpac.me/results/25580456-1cc4-4365-aba8-5601ece473ce/

SH256 hash:

98f1ec063c0e92115eddc2992cd164eae8d96c49177483321b525364469c9cc6

MD5 hash:

415624be058a0819e01e4018900197d9

SHA1 hash:

268c761ce93ebe55398764b747b40ad175b7fb87

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/25580456-1cc4-4365-aba8-5601ece473ce/

Parent samples :

55ee4e94de776d7e7748e9a321055cc59d0f0274b2b81bfae0f1f020a65ab33f
ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a
5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf
6c7db3cbcde67820238124f2e18f872ead9184460bcfb2ab23c292f5ade625e2
7ce357f7c3475e91f3dd3880f4fbbaa6d50f7101044b8b24e2ca0ea70981286c
8ea119b72080d578b209c7daf8462f18fa70e9592bbdae7ee6ea63bd4d67e8a5

SH256 hash:

d938213609dd34cda0f0eae7bd0ea2970e176a069b0adf5f88b9c2d38fb491d2

MD5 hash:

a3deed3766bb34776012a5a841ef520b

SHA1 hash:

9b991e797bbab6a8ba0b0b3b4d88203b23a2cee6

Link:

https://www.unpac.me/results/25580456-1cc4-4365-aba8-5601ece473ce/

SH256 hash:

18e742853c2b1cde32130b0470d1889616debe7d0e442294d22685840b16bc58

MD5 hash:

d3138dbb579290b3609a3917bd129a07

SHA1 hash:

9e1f81869043b43d85935e6e142dfb4ba86fd512

Link:

https://www.unpac.me/results/25580456-1cc4-4365-aba8-5601ece473ce/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img f01d7e84172cc1df0d5a6cd4c3e16463450ee9b7d76550f08dbe015c52ed9730

AgentTesla

exe 5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf

(this sample)

Dropped by

MD5 716cfe00022d5d1fd3acd73acf78fdaa

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/70380/

Dropped by

SHA256 f01d7e84172cc1df0d5a6cd4c3e16463450ee9b7d76550f08dbe015c52ed9730

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample