MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a
SHA3-384 hash: df98e55877f513d1de5eeaafb7843e085e9547d637b5c1fa69e93373c4f0e0645ca30dc05c97dbbcaae5fb769c4a9dc2
SHA1 hash: 947429ac7fc21804939af655bf4b9c008eadba49
MD5 hash: f63292fb2b058227bade273192eeaa01
humanhash: william-violet-queen-lake
File name:30714756.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:871'936 bytes
First seen:2021-01-14 07:04:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep 12288:Swzrxe6EsA0ZKUteuV5oBJhZvwriAbfq2c52WO5AQLBsxc5jb/VxC2831uK8Rf5:BzFQsdKOH/orX2iKfK52d66BH1
Threatray 2'143 similar samples on MalwareBazaar
TLSH 2005E657A804978FE03586B9BE070F6C5F1A3E1DA5C666EF50230D8B7A387724D4E06E
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps.websitesmalaysia.com
Sending IP: 103.233.1.132
From: DHL EXPRESS© <autoreply@dhl-supply.com>
Reply-To: DHL EXPRESS© <nicolasdiegonicolas@gmail.com>
Subject: DHL Commercial Invoice {30714756}
Attachment: 30714756.PDF.zip (contains "30714756.PDF.exe")

AgentTesla SMTP exfil server:
smtp.vivaldi.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
30714756.PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-14 07:23:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f93d1da-b24c-4a81-8633-4c555c38f13a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111964/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580945
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-14 07:04:28 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmzgpxvs4gt5cwtapqmruwfplwro2xpcgzk4522lakap43ynlj5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13207816457e33a0430e6da6d1ab86d9797f9c2895a7491c142b5b8bfee3bb0d
AgentTesla
1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b
AgentTesla
20caa9bbab7ef41b3766a4fc9c1690b84b9425a1105eb563673a5000f02936b3
AgentTesla
67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
AgentTesla
6f47301c8691d7f68ccf71931b8e2664fad0720d1f4d01f4bfda35cd1a076bd1
AgentTesla
8fcfe841647c5f4d3f10b59fa63b2e2dff841b4c5c39cbfa828146281e49ad77
AgentTesla
a08a2ea7f574259a68c3cc7d0ff2c1f46e9a57e9802cf5fc41803787564451e8
AgentTesla
c05e310c646407fa733712a98c822a5416ca1124322429d8d2a90966e909a6b5
AgentTesla
da9b1555b574d5e9b340f3993564550e0659f08b24856184a9eb543f4700e7e8
AgentTesla
f408fd39d1ec47e7ba56e85ac76e167b2cb000acde2643ec8f36c571fcc1842f
AgentTesla
+ 2'133 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210114-b89pnkya4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a
MD5 hash:
f63292fb2b058227bade273192eeaa01
SHA1 hash:
947429ac7fc21804939af655bf4b9c008eadba49
Link:
https://www.unpac.me/results/19eb9e65-8fed-4cdd-ad55-9cb2d4cfa437/
SH256 hash:
f0c46804b299c9ee5c6898b663185cc7f32348c35b3b1c08e127d1a752f27121
MD5 hash:
98f145e5496d1cd866b4bfb22de76af9
SHA1 hash:
0d9cdcd90869506a019695e3b1e6e3fa285b451e
Link:
https://www.unpac.me/results/19eb9e65-8fed-4cdd-ad55-9cb2d4cfa437/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/19eb9e65-8fed-4cdd-ad55-9cb2d4cfa437/
SH256 hash:
f2d2a7cb9b2b30ed86767ad7c5f07545050def08da618606c3137e2784b23d88
MD5 hash:
662de0bac214b9f7fde8a29ee22f5ef2
SHA1 hash:
b2d2324400fc5d12b5e95906381944990ef2e57b
Link:
https://www.unpac.me/results/19eb9e65-8fed-4cdd-ad55-9cb2d4cfa437/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip db73fcc361dc82ecd20287bad8c9c351ad24e7c7a087974ed6d4fe0dd0ce7109

AgentTesla

Executable exe 5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a

(this sample)

  
Dropped by
MD5 ec2b0ae12ee9094b709c8dba6d27906b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 db73fcc361dc82ecd20287bad8c9c351ad24e7c7a087974ed6d4fe0dd0ce7109
Cape
Cape
https://www.capesandbox.com/analysis/111964/

Comments