MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d
SHA3-384 hash: ab0404a20af0d1c99d535aa2026a301b141743f20664e30ecf3d8fc3fe54ab3fbe55c8ffddddfd5798d01487e180ef98
SHA1 hash: 5fd1d2cdc8a205033258223b84fd6f2ef4f7241d
MD5 hash: 65a5db8c5f12fb3b7810b5b22d14d247
humanhash: fish-winner-harry-harry
File name:ETC-20-3049-R.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:718'336 bytes
First seen:2020-10-13 14:53:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:LqRB8S3vf0AyF0xz0TFpt9c1t59QqEsoW4H6ZiZ:+jb3v8LTFpvc1N8H6
Threatray 414 similar samples on MalwareBazaar
TLSH C7E49D496F42AE0EFA6D4C71C43D193CD260E1EAF207F2479522A5D4BE4E36EAE011F5
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pirtek.co.uk
Sending IP: 45.88.3.137
From: Rajan Gurung <Rajan.Gurung@pirtek.co.uk>
Subject: NEW INQUIRY : ETC-20-3049-R
Attachment: ETC-20-3049-R.iso (contains "ETC-20-3049-R.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70529/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.57234.6637.20202.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/489935
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 10:14:52 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lkztk22ef4tlzl4rmktdn477gzvouoxuampp35dmzaaigdmvvbgq._file
Verdict:
unknown
Similar samples:
162a5aa5e6e0298edbae1a494d2a3e177f0fb42b1c2e35eaecdbe1715d519694
AgentTesla
30fdd56ea8646781decef9395d191a98f9b0319bff33713a6486137274efc270
AgentTesla
3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae
AgentTesla
5caa7e9eb486ca9161d410e9fe1dc4074c3b0c66f8d6cd05ab5ae6dd35837c5a
AgentTesla
64379371f079edd1bb0d1a26a98e0a487c4e89a468f60674d803f929d24d3ecb
AgentTesla
69fd68e42bf6c97d7d97134c248ced79cd81fe6b58873b3d31558bf4d875a097
AgentTesla
6a47bf03b1ffebac3ef5497af7d67aa562f3c401c3694d8551f7092f7f469313
AgentTesla
7193d497b1b85ec895b6d2c976a2d102a1a33d52b029a233d94a12cae12bd6f9
AgentTesla
7d16317ca81889aab8d6d82440ab0fb2375d4ef7747f2b1d77936fd79141ba77
AgentTesla
9910df1ac6284683a19c1fe576367e0b4174dfa65846cce6d0b3a1663bd368b6
AgentTesla
+ 404 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201013-n63blr7p6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
97174f44c76140839f66c4609d689275f971b6fa5fead0634dc17233993745ec
MD5 hash:
1de8273768b54bda040456b4ee39f74e
SHA1 hash:
73804fd087a2445bc339426316f57018140f68ee
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/424f6629-118d-4cc5-8fb7-5f3e51a843b5/
Parent samples :
1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb
5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d
SH256 hash:
5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d
MD5 hash:
65a5db8c5f12fb3b7810b5b22d14d247
SHA1 hash:
5fd1d2cdc8a205033258223b84fd6f2ef4f7241d
Link:
https://www.unpac.me/results/424f6629-118d-4cc5-8fb7-5f3e51a843b5/
SH256 hash:
88eb971fe4ae295269b7b5eeba4257b1934be1ad251ce67d3d5b500e35110060
MD5 hash:
cc56aeeef20df075a76d3a7794f8d250
SHA1 hash:
767138b6bac01f7edc6909147985819639692304
Link:
https://www.unpac.me/results/424f6629-118d-4cc5-8fb7-5f3e51a843b5/
SH256 hash:
3fa594cfcdf49720a316abf9b61a9849d49a9c1d32fa5e675012d04e923a4638
MD5 hash:
4f4b20d5777bff8381bd7b1010598ab4
SHA1 hash:
e9ada31b3c5a4ee81524ba73f1da97c2433097a9
Link:
https://www.unpac.me/results/424f6629-118d-4cc5-8fb7-5f3e51a843b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 6e14ef98be2e7e55d797b7f77639613c9958c0732f4488fcbb969646e41a229d

AgentTesla

Executable exe 5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d

(this sample)

  
Dropped by
MD5 72b00ab7b6ef1c8b45f7aad7c3a1496c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70529/
  
Dropped by
SHA256 6e14ef98be2e7e55d797b7f77639613c9958c0732f4488fcbb969646e41a229d

Comments