MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39
SHA3-384 hash: cc5ecd03bd0fe7cba3e196011f520ccbfbdf4d5203c0b92ccf365478b463c610e5bc2bd56c7485d4215c6216b846ee14
SHA1 hash: 43daf76d2701e02ca64d73a77c8de0c3d318c240
MD5 hash: 705c1bddf0a01f9b7c32b5ede6e64ed1
humanhash: helium-eleven-vegan-delta
File name:Order 911799 - EM092722.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:491'008 bytes
First seen:2022-11-07 05:17:35 UTC
Last seen:2022-11-07 14:30:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:dL2Nnm0bT86Nlb2vbchfsC+mURes2nomyqGYt3FWzAh:dqlBb1mY+Qs2omyqGYt3FWzAh
Threatray 530 similar samples on MalwareBazaar
TLSH T1B9A4F111BECB4163EF5F86B759249E2170340DCA90C5AA9C60BCB87C7AD8BF575CA0E4
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order 911799 - EM092722.exe
Verdict:
No threats detected
Analysis date:
2022-11-07 05:19:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9cac9582-5ad8-47d3-8a93-9834d41c7f19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329678/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.155406.31868.3679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerbu evasive packed
Link:
https://www.filescan.io/uploads/6368950ad998c15a09ab3ce2/reports/1f6fc353-63b2-4549-b571-914ea9705241/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/73c82651-5f7b-40e2-bbb1-265d1566f65d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1106924
Signature
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-11-06 21:16:49 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lns32o7p7ia7bbyq22lmiai5gimensa77asi4mootrf4sm5fju4q._file
Verdict:
malicious
Similar samples:
1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b
AgentTesla
44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe
AgentTesla
7157ea22835284e4b38c05ac415ead575656efa2389f74dcfbb8ab910031427c
AgentTesla
9d0cd2b1f470af7bba55345850c4f2b24ba96b9c4c361e4ff75c14a72bb3e7de
AgentTesla
a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574
AgentTesla
b24c75d9e1a26e070994807153641fa82130db5b166dfa2ac79412a7c36e37f6
AgentTesla
bb06bf5d8b68991bf2545a1b560b535d35ec17f870f4b53f62c31dc3d1148408
AgentTesla
d3c0d9f3e9555fac2f6c6431339c4556f2d87b5479543a927040c4ddfd1e25ba
AgentTesla
f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69
AgentTesla
+ 520 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221107-fy9myacegr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/55b907aa-91e4-45e3-8b71-068d585cba10
Unpacked files
SH256 hash:
5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39
MD5 hash:
705c1bddf0a01f9b7c32b5ede6e64ed1
SHA1 hash:
43daf76d2701e02ca64d73a77c8de0c3d318c240
Link:
https://www.unpac.me/results/51106ebb-9ba6-4657-a7d7-1c6a9e3a8167/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/329678/

Comments