MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b58f94841a17d6f347c5d32f4ac2e2fb6d7e4954d65b5138ed7fb44c924c3a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	5b58f94841a17d6f347c5d32f4ac2e2fb6d7e4954d65b5138ed7fb44c924c3a0
SHA3-384 hash:	3671f688bf4d9e5c9c30e15766fdfa7fc07a2410f686ba774a45e9a00889f32fca3a7837f4fe54fdb56ccd19f5136781
SHA1 hash:	ff966c9355cbc922e0eb162d8dae6db2244267da
MD5 hash:	ba67bb555e5e1d845b4e549df2c8b493
humanhash:	equal-low-north-item
File name:	LOS No 140491194.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	692'736 bytes
First seen:	2023-04-03 12:56:22 UTC
Last seen:	2023-04-05 21:45:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	12288:HKPFSPmnULyywVBGh0NaHo3EpGs3TH8HzZF/gxMdib/:HiFS2UDwVBNNYoUpZTcFg/z
Threatray	1'783 similar samples on MalwareBazaar
TLSH	T105E46D7D19ECD5A7D579D6754BF44C30A5FDA41B3A31CE2E39EA008906A2F02368336E
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e8b2aa696cd4e892 (5 x AgentTesla, 2 x Formbook, 1 x SnakeKeylogger)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

LOS No 140491194.exe

Verdict:

Malicious activity

Analysis date:

2023-04-03 13:03:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7c3a4848-b400-4ad8-b168-57d45c58efb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/379695/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.24013.24533.24903.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

floxif packed threat virus

Link:

https://www.filescan.io/uploads/642acd22c56b2da73aca8529/reports/a20d74d3-dbb4-4ad3-a46b-7879b81a73bc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5b58f94841a17d6f347c5d32f4ac2e2fb6d7e4954d65b5138ed7fb44c924c3a0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b7503f4-5f74-45ca-a901-63d8ad360045

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1207252

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5b58f94841a17d6f347c5d32f4ac2e2fb6d7e4954d65b5138ed7fb44c924c3a0/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-31 06:37:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lnmpsscbuf6w6nd4luzpjlbof63npzevjvs3ke4o275ujsjeyoqa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1f84c574a2f7836be22289a50c618d60dca14790609889eff1e25f8cdf49f468

AgentTesla

285c3ffd2b6cdd180ee0a3371f12f6a0ffb4a77ffc7a811f242749f68722242c

AgentTesla

29efaf03dee08b4e3f4e23e41b9581513da070dc49e746e91aee2022fef12088

AgentTesla

3678eacb8a54a9b0112aae9c691b5ddbbe86631d17689abd544a1acac76c1ce8

AgentTesla

745334ebcf459ec748d00eaf3bcb94045cebdd6275aca548255c1c922f0f9d9d

AgentTesla

8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95

AgentTesla

ce5c147f75c354710869fde43cdc99afb90de8f43d5a0a58cd7456ade759b110

AgentTesla

d5b4018736e8ded7a665f2051a05e9fdd53e379eceee4c62abff955dbb5e4554

AgentTesla

+ 1'773 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230403-p6x4jseg98/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

1cb0143fb91c98fa790059bbc2c889948029944cd9e7ae62efd0a83264031780

MD5 hash:

673d1515db6ad29a4634984e68085489

SHA1 hash:

be694bc3d654a20c873c8cc5f6ca6458c75c561f

Link:

https://www.unpac.me/results/0cbf5d54-5f42-4212-9377-095ededfe7c7/

Parent samples :

7225fb26ac598e2675891df1f0733d038fcf691e7e04c190f700813132cd5040
256206be49f97b60b3e580901f31d726e194cfcf0b50a291cf67f7a6267aeb18
3caa5f70e285a2f721a9d8d16dbcdc56a5a9cc85463fca195baea784840f1650
2824923e53f00d95246e6af0ebdf392983d4afb436c1c4af2a5420a41a827ecb
42fac947ed7be43e589d194a49aef65b306055ad3d42ee3b7c9a2b03cda99cd0
ce951f9946a66af4cf461317865d760231a083710a35ae4d2ff362201ec66966
85f7d296de25155108c48bafa42ddcba37feb9add3f20c3b5c65ac321ec9a70d

SH256 hash:

5d270f526b23d2882584dd15163ed804cd4ac1e4ea6478898c3951a1364d34b7

MD5 hash:

1bb89c738e2dcb85ae5647e69df2a592

SHA1 hash:

ba0696f8ac71ecdcc3b65907e77ae619a9eeae24

Link:

https://www.unpac.me/results/0cbf5d54-5f42-4212-9377-095ededfe7c7/

SH256 hash:

ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d

MD5 hash:

27f5124bf8f451bca8d8a15c73c4f521

SHA1 hash:

5fd557e109b8fd1c3b362b64f0ba9f1600c07211

Link:

https://www.unpac.me/results/0cbf5d54-5f42-4212-9377-095ededfe7c7/

SH256 hash:

5b58f94841a17d6f347c5d32f4ac2e2fb6d7e4954d65b5138ed7fb44c924c3a0

MD5 hash:

ba67bb555e5e1d845b4e549df2c8b493

SHA1 hash:

ff966c9355cbc922e0eb162d8dae6db2244267da

Link:

https://www.unpac.me/results/0cbf5d54-5f42-4212-9377-095ededfe7c7/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5b58f94841a1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/5b58f94841a17d6f347c5d32f4ac2e2fb6d7e4954d65b5138ed7fb44c924c3a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/379695/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample