MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5994f45fc95b80beb8ef828728bd8248455a7f2c503b025be6991a700ecbbf53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5994f45fc95b80beb8ef828728bd8248455a7f2c503b025be6991a700ecbbf53
SHA3-384 hash: a183cbbf29dd453b57f7a10518b8e2fe43afb6a18f3c9afdc9d0fa9f3ef706e905be57fb74e3a8d16463c3f2d7a78d07
SHA1 hash: a45bcf927345f48943b659d8b483ecb7b8865a9e
MD5 hash: a1a8d71897fa2160525a6e5deac4b99f
humanhash: skylark-august-low-eighteen
File name:G3PKtQPPmMFXB4b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:678'400 bytes
First seen:2020-12-17 08:51:39 UTC
Last seen:2020-12-17 10:29:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:NMCqwPdhxXaDaC5Rl1BwTirczmX3HndrVekHyjIHmw5cpFAN1Do7OFl6HK39d2L:V1qwirczq3HdZpYaXl6UX2
Threatray 1'872 similar samples on MalwareBazaar
TLSH 49E41224B5ECCB67D5AF6BFCA355100A43B2217A6542F34A8FC4A4EE3D367A04C057A7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server2-ip26.mailsentinel.net
Sending IP: 111.90.139.111
From: sales@simhanmy.com
Subject: Re: Order Inquiry
Attachment: Order Inquiry pdf.rar (contains "G3PKtQPPmMFXB4b.exe")

AgentTesla SMTP exfil server:
smtp.semsmar.com:587

AgentTesla SMTP exfil email address:
huvergg@semsmar.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.26725.25074.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565224
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331695 Sample: G3PKtQPPmMFXB4b.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 30 smtp.semsmar.com 2->30 32 us2.smtp.mailhostbox.com 2->32 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 5 other signatures 2->52 7 G3PKtQPPmMFXB4b.exe 3 2->7         started        11 newapp.exe 3 2->11         started        13 newapp.exe 2 2->13         started        signatures3 process4 file5 28 C:\Users\user\...behaviorgraph3PKtQPPmMFXB4b.exe.log, ASCII 7->28 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->56 58 Injects a PE file into a foreign processes 7->58 15 G3PKtQPPmMFXB4b.exe 2 9 7->15         started        60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 20 newapp.exe 2 11->20         started        22 newapp.exe 2 13->22         started        signatures6 process7 dnsIp8 34 smtp.semsmar.com 15->34 36 us2.smtp.mailhostbox.com 208.91.199.224, 49757, 49758, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->36 24 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->24 dropped 26 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->26 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Tries to steal Mail credentials (via file access) 15->40 42 Tries to harvest and steal ftp login credentials 15->42 44 3 other signatures 15->44 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5994f45fc95b80beb8ef828728bd8248455a7f2c503b025be6991a700ecbbf53/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 03:19:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgkpix6jloal5ohpqkdsrpmcjbcvu7zmka5qew7gtenhadwlx5jq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
014b3137818fe9c6b66f870dfb5a2d59ea9e78ef414cb28dae5142e9eeb1736c
AgentTesla
1b80f30f0ee26805d860b7443b35190a7a5c93e159585b4ebef9419fc98e1b04
AgentTesla
20caa9bbab7ef41b3766a4fc9c1690b84b9425a1105eb563673a5000f02936b3
AgentTesla
48c481b14b6773bc4405945f9444cc6fc45fe5908c3ef24f5faf4b0815d27615
AgentTesla
701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671
AgentTesla
9b49a9b7baa2dd6642fcc3c97976f6f1ddb0f8d6b4261ce4b32583c75a572e4e
AgentTesla
c1e775844ae65d163fef7ec92e2d48ab4fd36ec5412999a5cba1c85ef0edd105
AgentTesla
e2b7ea3f36ee9c137c8b52e44c82965f11ccb6c61ad037402416b2c75a532a1e
AgentTesla
f04d5b287971f60d5f04b262f3714a790b7d7c9b591ab88faa1d1f5244792d09
AgentTesla
fc76131b70298de640e209e57bfe7995a4e506752d93d04a91df9d88afed01df
AgentTesla
+ 1'862 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201217-ft5ncck5bs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527
MD5 hash:
bf99ee5fbf42797bd1ade95b109d634c
SHA1 hash:
e02abfdbca94a24a36b47d49a28360b79aabd294
Link:
https://www.unpac.me/results/b254db18-7cff-4863-bb3e-3254203d5f0e/
SH256 hash:
5994f45fc95b80beb8ef828728bd8248455a7f2c503b025be6991a700ecbbf53
MD5 hash:
a1a8d71897fa2160525a6e5deac4b99f
SHA1 hash:
a45bcf927345f48943b659d8b483ecb7b8865a9e
Link:
https://www.unpac.me/results/b254db18-7cff-4863-bb3e-3254203d5f0e/
SH256 hash:
506a2b5799a1ed6068b2acbd1170ae3960bbab76e507e07d735203ff42c7ea99
MD5 hash:
126cdbc19586c6af4d0bcb4930305af3
SHA1 hash:
70c4e444294f07db2f7cec68b49c1f05bbc6e01c
Link:
https://www.unpac.me/results/b254db18-7cff-4863-bb3e-3254203d5f0e/
SH256 hash:
f3f4c0cb808adafa8d427120d8859eb3c20b17dc217270a14bf5dad4d621d77d
MD5 hash:
37b57ba8cc7c6d509d1ff33ad42210a5
SHA1 hash:
d428c36fbb83d63ac01649fb6ced0090bc296267
Link:
https://www.unpac.me/results/b254db18-7cff-4863-bb3e-3254203d5f0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5994f45fc95b80beb8ef828728bd8248455a7f2c503b025be6991a700ecbbf53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar fae1c8e7fcb50264faecf8cf66fb5e575d2b9d2efeb028bc5a63fee515933fee

AgentTesla

Executable exe 5994f45fc95b80beb8ef828728bd8248455a7f2c503b025be6991a700ecbbf53

(this sample)

  
Dropped by
MD5 d2bf7bbc126c0936d1d687a377eea2a2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fae1c8e7fcb50264faecf8cf66fb5e575d2b9d2efeb028bc5a63fee515933fee

Comments