MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b4bf8751518e3950d1c1cc3696312c0a207334260cc8a40686c499c2cb8aadf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b4bf8751518e3950d1c1cc3696312c0a207334260cc8a40686c499c2cb8aadf
SHA3-384 hash: 64767ee7a6a53f750f9617a23f2790db1b258ddae0e4d7236167258e3344ee1e8ff38920b2b7f36626991c7c67551d0d
SHA1 hash: 0d0eb1b4b701869401fc940cc154d58e112fb203
MD5 hash: 57fcd354b985420f736f40afe31a1229
humanhash: undress-black-potato-december
File name:57fcd354b985420f736f40afe31a1229
Download: download sample
Signature AgentTesla
Create hunting rule
File size:496'640 bytes
First seen:2022-06-15 12:05:29 UTC
Last seen:2022-06-15 13:01:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4qBafvI01LbCZok+yV1aqvvatzLhNDoiXg2tNO:49fLLJk+yVscs3hdo6v
Threatray 18'574 similar samples on MalwareBazaar
TLSH T103B4129A32F9033DF2A947B41A7354D0777A725B55B9CF0C698934DE093AB8382E1B13
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280161/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.33881.15305.5597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62a9cb69040517c3479832c9/reports/eb519fa5-e8aa-49bd-9dd5-0c9134f35c7e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/156ee3ef-83d0-4591-8f61-f16069d07c1b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013647
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b4bf8751518e3950d1c1cc3696312c0a207334260cc8a40686c499c2cb8aadf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 12:06:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnf7q5ivddrzkdi4dtbwsyysycraom2cmdgiuqdinrezylfyvlpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
49a53fb698c6608f315ec4176b93a2334e99cbcc3bb37fab5d3062bc390961f4
AgentTesla
54d48500414b67ed625499d5d6e77230e4e460622d96d5d333a32aea4573ca9e
AgentTesla
63cdda46a08c3038d94c60c3dd0ac398eb2d5b56568870bd4128b835a41d7c4d
AgentTesla
6fe3e4a455584fd416ce8c785e95c072e52b08b9c8749564188f784fa7ff7f10
AgentTesla
8d75529a8c51cb0ba57f63afe69cfbb3af95c5087946ad4de20634c86a5abf3c
AgentTesla
bc0a1153681fd21f8ea15a81e41d256a7a10623554db56a74d2b244547248e7c
AgentTesla
+ 18'564 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220615-n9qyzaefam/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
977159535d88ceff3de9ea6f807f0440ba33c595f724aedee82ea126f14bf57c
MD5 hash:
afb91ae5cca3e02435410e695f3585f2
SHA1 hash:
895e1c636e3436748fd7a83fcdc2ad0b77e05a4e
Link:
https://www.unpac.me/results/611b7820-bc4d-4fa4-b736-7ad9a3ba69ef/
SH256 hash:
a5b602fb5821d6774103206321a3e1bed70b513b30540ab8c6d2dd3b153c64e1
MD5 hash:
c6833f3384b08d4912c095f200a9ea94
SHA1 hash:
7ba13e11eb1c22bcad20bbf6251ff54c50a242f4
Link:
https://www.unpac.me/results/611b7820-bc4d-4fa4-b736-7ad9a3ba69ef/
SH256 hash:
eca5e3f779cc26ba54a8315f2eed3d326ac7a46650984590e8a1c788c5fb661c
MD5 hash:
3b83b3b3b74a217cfb17c038a1da1064
SHA1 hash:
50e353582463a9e2f3c2116ddf9f613becb719d8
Link:
https://www.unpac.me/results/611b7820-bc4d-4fa4-b736-7ad9a3ba69ef/
SH256 hash:
dec15271d422cf3b82c0a94cf147312bb5a4a4f262da4b698ffe7e6bdaf18053
MD5 hash:
79c5c39e29ebe233cd13a50987e64609
SHA1 hash:
0560314716e6519158009159c017d2b52116608e
Link:
https://www.unpac.me/results/611b7820-bc4d-4fa4-b736-7ad9a3ba69ef/
SH256 hash:
5b4bf8751518e3950d1c1cc3696312c0a207334260cc8a40686c499c2cb8aadf
MD5 hash:
57fcd354b985420f736f40afe31a1229
SHA1 hash:
0d0eb1b4b701869401fc940cc154d58e112fb203
Link:
https://www.unpac.me/results/611b7820-bc4d-4fa4-b736-7ad9a3ba69ef/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b4bf8751518/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b4bf8751518e3950d1c1cc3696312c0a207334260cc8a40686c499c2cb8aadf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 5b4bf8751518e3950d1c1cc3696312c0a207334260cc8a40686c499c2cb8aadf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2239118/
Cape
Cape
https://www.capesandbox.com/analysis/280161/

Comments


Avatar
zbet commented on 2022-06-15 12:05:58 UTC

url : hxxp://103.114.104.219/nz234567hgfdertyuhsec/T.exe