MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b
SHA3-384 hash: 85e72aa1ad1e7777a7f808efa05814c495357159954179b6e64bb21072639798aa28a825fd8267eec905cc3b9a6418a3
SHA1 hash: ccb0d8a5a01b8831260fd63fb73ca98e8108da36
MD5 hash: 0da7bfdc743fed49845150c88f6f47fc
humanhash: mexico-moon-washington-beryllium
File name:PO OAU_DECQTRFA00541·PDF.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'010'688 bytes
First seen:2023-12-11 13:43:03 UTC
Last seen:2023-12-11 15:35:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4HLRiJkDbp7NIp09j0nWiC8UddYncE/ZVU5Sn74uiou:4HoJYbp7RNvdQcEHn7t5u
Threatray 6'022 similar samples on MalwareBazaar
TLSH T11625DF057384CF51C61F05B6C8A6D2F80327BE10CE15D7EB76C9BE293AB32EA6561583
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0f519373d9cc750b (107 x AgentTesla, 20 x AveMariaRAT, 5 x Formbook)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
DK DK
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12925.26700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04e0674f-c0a6-4b32-9f1b-e7c80c120433
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360013
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 08:52:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ll5zszl73ho24orbhgovmlbopcjtciqabwzgziqiynr5ohetrzvq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
222aedbf7c1a8e5d3b7b48549ab96dd38de83fe5a562f4735101963436bdc1e2
AgentTesla
28ead7588848700eeb6c5ca4d1aa5f6f781b50128c8b7f660d4fb5f8d6c42dc1
AgentTesla
450add1beb1f7e147fe1bad4703b3cff106ec962e8137dcc3136cf681e9293be
AgentTesla
5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b
AgentTesla
6e158f16f07e8ff0704f797423eee56096fa51306fa8e74ae0034559f9cbe81c
AgentTesla
722b47ca4f0c2c337f7adf494536d7aa69d5e6bed3e9641b2017ff588be488cb
AgentTesla
e9767c506d805d84d30aba139bb06e03f96f3043e902e28d4b36255e9171095b
AgentTesla
+ 6'012 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/231211-q8axgahge5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
AgentTesla
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
5d529242295bc9f12b87025f2be18f236f69b2e6b918ef305bf6b5dc565c1ee8
MD5 hash:
836076d40807bcc314b68b1c49a5b0aa
SHA1 hash:
d8b79cb61302fa936f5afaaca7e95ca03ac79bd4
Link:
https://www.unpac.me/results/7226cbb1-adde-4b7e-b70f-94721da0015b/
SH256 hash:
b438b982178f6c76c77397304578b7fb4249a0555bb70dad9eae9824b1fff7e3
MD5 hash:
14359a5edbb53d73361bb1668b9f08c6
SHA1 hash:
cc573255d18e1669687cba22c2910bcaca6f7557
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/7226cbb1-adde-4b7e-b70f-94721da0015b/
Parent samples :
5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b
78adf9dab234e98f3fca7b3276602c128633f1c6b04ad7b07ae860fd0bce69fb
SH256 hash:
79f09c0a1fd15b8be50e0c8de79c42af2d0ca7a6f8250e1b58fd120e98f9985e
MD5 hash:
d3783fb4f1fea98a18df3d5106e3d551
SHA1 hash:
4c46cbf91597adb399a8f0a2a80b904d30ec861a
Link:
https://www.unpac.me/results/7226cbb1-adde-4b7e-b70f-94721da0015b/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/7226cbb1-adde-4b7e-b70f-94721da0015b/
SH256 hash:
5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b
MD5 hash:
0da7bfdc743fed49845150c88f6f47fc
SHA1 hash:
ccb0d8a5a01b8831260fd63fb73ca98e8108da36
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/7226cbb1-adde-4b7e-b70f-94721da0015b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5afb99657fd9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments