MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a38c1770a9728871ebf9a8a4b7b9e676fe5ace9c9b4a1a5d64f8ae86044fa97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a38c1770a9728871ebf9a8a4b7b9e676fe5ace9c9b4a1a5d64f8ae86044fa97
SHA3-384 hash: 6e52f633d4cd20755f91a7e637e2c60bccda93b4011c1077b8451f23bdc09182b9667e20ed53d4f509947097fc18c917
SHA1 hash: c38a182b62104ec7bde609ff36a99ca2972da19b
MD5 hash: e620cb9ccee4b0460a3af37e72e57a9f
humanhash: undress-leopard-queen-potato
File name:cpGoM9vVOEuBvfH.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:469'504 bytes
First seen:2020-05-04 22:04:48 UTC
Last seen:2020-05-04 23:24:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:V1VvliklTI5I9axsl9Oh42sdXp5oFhyi2h:V/hT8I9CszwQXpSFhyiy
Threatray 10'657 similar samples on MalwareBazaar
TLSH C1A4592D29FEA667D56DC2B59BE08426F2F1C0277211EF257DE702D58783E02A78306D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: combytellc.com
Sending IP: 37.49.230.28
From: Sandeep Gill <sandeepgill@combytellc.com>
Reply-To: Email ADMIN <noreply@domain-admin.com>
Subject: quotation
Attachment: cpGoM9vVOEuBvfH.rar (contains "cpGoM9vVOEuBvfH.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.42943.3.26302.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-28 04:15:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=li4mc5yks4uiohv7tkfew646m5x6llhjzg2kdjowj6foqyce7klq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011a4b06a1a31fec0e9d5a013b9721f4e30f0ec963d07c42cb1d0e41c30df389
AgentTesla
12177f9ec0c28b50c85e79ed0e7cc672e08ce334dbd3aca0a3751b89a4c6c807
AgentTesla
21a78a3d5d52cb666ec339d42ea32c26d0757f60e31dfbde8e7d41786c2c72a0
AgentTesla
32e7be2844e7be1f6ae7d262eeebe64926946ebbc8e2d91ce3760b8e1d10285c
AgentTesla
561edd9f70bcb31e317b9af7c23b6fcf1af80a556a5837042154880296dd946a
AgentTesla
5e90b08b7efbc0e845c590ae49ba28df3e5312a485a80ea69b9f8145106b12b6
AgentTesla
66a2878b55d41d3e576ec08bb0e28573de3af9dbbbd08567cc730198a490d021
AgentTesla
a8c64168f72d3a7af27ae6dfff00da04467744c5bcc04f9292761359e5507cbf
AgentTesla
bab8aa286b30d5d413e87d60055b0be118695e740cafaed71754d8eb590a4776
AgentTesla
cd301ca1c374c26aca9bf5381a3b491ae384f06868617c6c16b563213854d159
AgentTesla
+ 10'647 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-26x2e1bjbx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla Payload
rezer0
AgentTesla
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar bd3c4b1a98f1119f27af21ce01ec3ead75d2a8b94c4b9c7a3232459193fb5417

AgentTesla

Executable exe 5a38c1770a9728871ebf9a8a4b7b9e676fe5ace9c9b4a1a5d64f8ae86044fa97

(this sample)

  
Dropped by
MD5 4daf0904e1f6c11460a4e2f06c697a5e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bd3c4b1a98f1119f27af21ce01ec3ead75d2a8b94c4b9c7a3232459193fb5417

Comments