MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
SHA3-384 hash: 70ec4b4a618a468d746fb1bed5d817d5a3193ba0e42ea4e5ff1dff2ec6cb2fdffba8ee4417b4207a04058a7edd435508
SHA1 hash: 6b8d663d2f38b569881ffd458bde6f06cd30f507
MD5 hash: ad5982d802d2039bed552a10f41cc535
humanhash: foxtrot-fourteen-network-nevada
File name:file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:744'448 bytes
First seen:2023-07-24 06:07:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:mEvJRBusyvr5Lr2zqX0y9ZAVaOiRkHIRI9SC4wJy9S8czzXqSTQRbv/Q4wj+R:LFuD5KqTZpSI3aJTzzXjTQdY4
Threatray 5'154 similar samples on MalwareBazaar
TLSH T185F4222033655E03E4ADFDF41AA1562663756145192BD3CECC7A30C70EA0B85BFA2EE7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d455a86d496832b0 (15 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.securipro.com.my:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 06:19:33 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/1564cb61-527d-4aae-9ad8-e3f471c3e895

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430571/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.37323.3973.16452.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30edd357-bcc0-4a0c-88ec-c319c96db78b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278025
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278025 Sample: file.exe Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 5 other signatures 2->53 7 file.exe 7 2->7         started        11 AtpXearvHnaR.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\AtpXearvHnaR.exe, PE32 7->37 dropped 39 C:\Users\...\AtpXearvHnaR.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp6F94.tmp, XML 7->41 dropped 43 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->43 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 file.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        27 2 other processes 7->27 61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 AtpXearvHnaR.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 AtpXearvHnaR.exe 11->25         started        signatures5 process6 dnsIp7 45 mail.securipro.com.my 110.4.45.162, 49698, 49699, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 13->45 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->67 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f/
Threat name:
ByteCode-MSIL.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 05:01:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lly2xim5txldsvblvfa3ryyusxi7s6e62qtng5xipyca2xgz35pq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
AgentTesla
4179cbf147e658854400967be76ca120278fe858fa44cc24cefea7578065b2ad
AgentTesla
5afc34ba8d87868898a975c8a82a6817739d9ff294fae609b2ca293ac5e478a6
AgentTesla
82ec3f48b64379387613c3cddcdd400f095161826bac92ce3f7907dc3807a9df
AgentTesla
8faf480c1ae966b6f4f2656368ec83dca9ab004811cf330083afc56043735a5b
AgentTesla
920d519caed6fad76c8205ab38d984baccfd97405b1ca5ada793cc50140183ca
AgentTesla
e0a9d1ee5f291098090a028934842e554f4bb482a0100077d909d3005430b2ee
AgentTesla
+ 5'144 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230724-gwhbcaah21/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/8991f851-18b2-4bc5-970a-4d675432084c/
SH256 hash:
b0650593ee79c50810c861ce8380734ea9de3a1adf77e425cf86b8673ade7b72
MD5 hash:
d68f2f9257c91b202f5d393689199180
SHA1 hash:
c98b52638766aca0e2c82b2416d23f296370660e
Link:
https://www.unpac.me/results/8991f851-18b2-4bc5-970a-4d675432084c/
SH256 hash:
ab72e3cb5063c34abbd135746ea262c6dcccd1a20cb7f932b755f04d61a27043
MD5 hash:
d26fbae31cffeae94a66f86adaff7527
SHA1 hash:
4462a3e871e80418c6e9a0b6207f284b707bc5c8
Link:
https://www.unpac.me/results/8991f851-18b2-4bc5-970a-4d675432084c/
SH256 hash:
6f426d3f8af9a0c05c1ea42b5509f17f89e3e8ef97d940480e1ae6c8025fa288
MD5 hash:
d4bf217761a7582bbc7dfc4b47b06a0c
SHA1 hash:
0fc2959220419ef3c713975e161a5e744a9ab967
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/8991f851-18b2-4bc5-970a-4d675432084c/
Parent samples :
0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
SH256 hash:
5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
MD5 hash:
ad5982d802d2039bed552a10f41cc535
SHA1 hash:
6b8d663d2f38b569881ffd458bde6f06cd30f507
Link:
https://www.unpac.me/results/8991f851-18b2-4bc5-970a-4d675432084c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5af1aba19d9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430571/

Comments