MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc
SHA3-384 hash: 09a85a392d331c7c9da1b962e4909cd4663fc35b87b57db0f16046202a3153aec6ba6022cf7ad4262dcd91f7e917b2ac
SHA1 hash: 6195718e1af056d2e889f078279e58dbbd9f6932
MD5 hash: ba114ab84e562a700e8a382d1c678aa3
humanhash: lion-single-monkey-fillet
File name:NEW OFFER No PO_821557.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'630'208 bytes
First seen:2020-10-24 06:40:56 UTC
Last seen:2020-10-24 07:58:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:1f2i/KPqHrMc/ZrFWsicdKJbh6CDTJ0y+nXOnrr6hw7hgLgN0E3jNzUz:AhUwcOjcdKZhCEnR4gN0E3jNzU
Threatray 487 similar samples on MalwareBazaar
TLSH A6755B9D766076DFC867C972CEA81C24EBA478BB871BC203945311AD990E99BCF141F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: MANAGEMENT <javaid@cyber.net.pk>
Reply-To: ericgillis60@gmail.com
Subject: NEW OFFER No PO_821557
Attachment: NEW OFFER No PO_821557.doc.z (contains "NEW OFFER No PO_821557.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75182/
Detection(s):
SecuriteInfo.com.ArtemisBA114AB84E56.17376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Adding an access-denied ACE
Launching a process
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508572
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 23:34:01 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lj2g4xkxdwry4lj2oprxkaayftquzqk3uxoo6mefdt5352wnopga._file
Verdict:
unknown
Similar samples:
0846f6019d7fe774dc75d2f35a88769fdd49f99fad217283287f24c1bb54c45e
AgentTesla
09be1d1130ddcf7aa7d321a4c70110c98a344812c818ed0cacfcbab916338034
AgentTesla
2352a7cd00ed5221c4b807670ca01f49f76beb5dea868d8db38b1fcc0e362c18
AgentTesla
56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759
AgentTesla
5e19889ca24913c6ae660e416467cd2f90f15806d2b1492993874e3d17ebd101
AgentTesla
95acc9e5d834d2fbd969547ccac5209bb66cffe2fcf772ba33267423961d3fd9
AgentTesla
bf15b6d8ed1637598fd2d08ae5f619a4c08c6b03372fddfa8f68f6380e735083
AgentTesla
d12d7f07071e59df09d70cae377fc3e41b35a098d5096f7437ce17b59f74fd64
AgentTesla
e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8
AgentTesla
eed899d24d21a18eedea77f8f2860b70aa843e3f3757e8c53105f6eadd655d41
AgentTesla
+ 477 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201024-qtfahxkama/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
f2c6ad34e3265f68bd3e28db965275ea7be02e62e0eadbde0114ba562c225f91
MD5 hash:
f4a459e988ffa95494707177f683b32d
SHA1 hash:
2108a52737df2ad3bdc7e022d57e7a6d2ec56ec4
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/9320e2cf-2ddc-43c8-b028-74416f7f3292/
Parent samples :
625ac07dbfbb4f928f5acc8bfb5b9c6f92b155d37b501bc9a41ad0af8e7b9010
c1f6176f273c2280a48870aad839205108e91a288c8cc3a6fb28501c9b7a7ea5
93392409bb6562bab461417a37bddfb87ce04a26b18cccf70b9c88207778b3ec
48f8e8504e89f98adb7acc7f938cb133b7d17a4acacdf1bf36dcc02abe51e87e
5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc
9269873570976cb6f163e582be25450bfe1d56684bde5322c61c236fa2f2ffc4
28913a04e86d1a2f8bcab9da81355bc4566d63747c2d656b6d6ae42830163166
4407d75c871e6d665e3b22d340948f5755cc373ae2a028ff60e9edda6a8989e2
SH256 hash:
8efcb0252d26ec0d5662b8bca0a4cd9bcd5eb818ded1afbf1f39642b44367ea2
MD5 hash:
ddf4dcc917f0863056c6d1c8c5d53354
SHA1 hash:
21a0b38f3ffb1c24abc3dc8065ad3267fd76c79d
Link:
https://www.unpac.me/results/9320e2cf-2ddc-43c8-b028-74416f7f3292/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/9320e2cf-2ddc-43c8-b028-74416f7f3292/
SH256 hash:
71ae8285c7761c070abca25f023e1f15f049c2ecb20b2efb8899a2acca5aa89b
MD5 hash:
3d9b92aa723d229e0d6859fb1e970bf6
SHA1 hash:
fccbfbe3a42b4c3d75f6e30f484e6fb7d9f788f5
Link:
https://www.unpac.me/results/9320e2cf-2ddc-43c8-b028-74416f7f3292/
SH256 hash:
5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc
MD5 hash:
ba114ab84e562a700e8a382d1c678aa3
SHA1 hash:
6195718e1af056d2e889f078279e58dbbd9f6932
Link:
https://www.unpac.me/results/9320e2cf-2ddc-43c8-b028-74416f7f3292/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z a30ae433f77f63510ba94f1b083d30bc2cb3118c7873a485da5ba18d61204199

AgentTesla

Executable exe 5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc

(this sample)

  
Dropped by
MD5 bfad42f86b43d41c5963b390ec619d81
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75182/
  
Dropped by
SHA256 a30ae433f77f63510ba94f1b083d30bc2cb3118c7873a485da5ba18d61204199

Comments