MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5518cf17d58456ba539de77af37d9f1b44595c535cccae6139d64d8a514cfa1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5518cf17d58456ba539de77af37d9f1b44595c535cccae6139d64d8a514cfa1f
SHA3-384 hash: 4fcd1779cb10f91f40bec20b44d5d0bcb97720d0a8fe5d91a90d7fef7ca654ac5617c211142394363a9bba6abec1a659
SHA1 hash: 2b8ae1bd453ed33ea310bfc121e43e24a713758f
MD5 hash: d60c5359fad423212c9176c286f86180
humanhash: cola-happy-fourteen-spaghetti
File name:4c6f81ac43405ad9ac6b5935a071f63d.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:953'344 bytes
First seen:2021-05-11 06:44:28 UTC
Last seen:2021-05-11 07:02:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:1JKxeayECYRqssfoGIWQ4rODYB9yQbbYta8tIG/JBWNpi8jhea3:XIeajUoGi4AGkM2faG/JBMcWhea3
Threatray 4'774 similar samples on MalwareBazaar
TLSH F41538802626A19DD0603FBDA13134E403B8EE27F9E54DD7529C7B22FEFB8511FA1925
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/154839/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778301
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410698 Sample: 4c6f81ac43405ad9ac6b5935a07... Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Yara detected AgentTesla 2->36 38 5 other signatures 2->38 6 4c6f81ac43405ad9ac6b5935a071f63d.exe 3 2->6         started        9 newapp.exe 3 2->9         started        11 newapp.exe 2 2->11         started        process3 signatures4 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->42 44 Injects a PE file into a foreign processes 6->44 13 4c6f81ac43405ad9ac6b5935a071f63d.exe 17 5 6->13         started        46 Multi AV Scanner detection for dropped file 9->46 18 newapp.exe 14 2 9->18         started        20 newapp.exe 9->20         started        22 newapp.exe 2 11->22         started        24 newapp.exe 11->24         started        process5 dnsIp6 30 hosseinsoltani.ir 185.55.225.19, 80 SERVERPARSIR Iran (ISLAMIC Republic Of) 13->30 26 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 13->26 dropped 28 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 13->28 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->48 50 Tries to steal Mail credentials (via file access) 13->50 52 Tries to harvest and steal ftp login credentials 13->52 54 2 other signatures 13->54 file7 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5518cf17d58456ba539de77af37d9f1b44595c535cccae6139d64d8a514cfa1f/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 06:45:18 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kumm6f6vqrlluu45455pg7m7dncfsxctltgk4yjz2zgyuukm7ipq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3bb4ba1af57ec635228b43c11b676612091f37e15b6578fca48e9a14195a9cd5
AgentTesla
8392af9cff73aab10a60befd359d4ca2638d6a936071285579147303bb453497
AgentTesla
89a79d6e08f22036f754947d43d1c5b6ba7865e246f462dedea0836dd748a8ea
AgentTesla
8ae7d31c639421a161679c972c59516da33ae3cd97ac6f81a5fc6c6d9c9169a8
AgentTesla
9641b42c328e6e872819d139d20c3b64ed5e00d044de54550d58c2c77917e50c
AgentTesla
98a0f70bad8b8d6877acaa0ae9d7e70127126e815db3ac71ae3492309114b6be
AgentTesla
9bdd28e639ad1bd0bd8cab6e287279db86d951b1a488786c3435f7a5f39ac383
AgentTesla
ba47f29c85e981cf2a9c11078c4f3fb6e0fcb42e894bf301f1522ca7148790f0
AgentTesla
cece846f69234defbd561899682dd1f687b8ed35ef5081a8a4cd3d7d8cbc7fe5
AgentTesla
e7f63ff5c5b933e940b344dd41e44224df5a554ad03dad40b54136eddfdeac9d
AgentTesla
+ 4'764 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210511-3ek8ke4sga/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
http://hosseinsoltani.ir/wp-includes/gu/inc/c8a002bdd798fa.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5518cf17d58456ba539de77af37d9f1b44595c535cccae6139d64d8a514cfa1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154839/

Comments