MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7
SHA3-384 hash: 979b523ef520346d9abab9cc807b696e26e91db5f252512219aef77f80ef69c920cdb710bfe4f9916448a4757d91a0a0
SHA1 hash: 6426418ee441590f4f24bdbb9523af97c8d3668e
MD5 hash: 569336c70d9095e94c190790284d9782
humanhash: chicken-nevada-alpha-kitten
File name:Stone Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:626'176 bytes
First seen:2020-08-13 07:52:52 UTC
Last seen:2020-08-13 09:02:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8dba14b5415c4a8fd9aa97530cb9d1a2 (4 x AgentTesla, 1 x Matiex)
ssdeep 6144:EMH+JIzhb301bFgTBfjLZ6XLPR/40aLnoE2KggRqv8frJIe6g4hRXNdXtCFt6W7c:V+6lbkT+A7PR/4k6hlft4hRXN5t+tI
Threatray 10'599 similar samples on MalwareBazaar
TLSH 8AD45AA67A50D075D05C0A75B101EAAE42507838C8038D87B7D2BFCFFBF569A5D26B32
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: llsk285-a17.servidoresdns.net
Sending IP: 82.223.190.50
From: seneton@seneton.com
Subject: Quotation for Irregular Slate Paving Stone, Irregular Flagstones, Flagstone Road Paving, Flagstone Walkway Pavers (Buyer: Alfredo Castellani - United States)
Attachment: Stone Quotation.gz (contains "Stone Quotation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44947/
Detection(s):
SecuriteInfo.com.Trojan.Heur2.FUL.MuW@aK9gy9ei.8969.23906.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/425396
Signature
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 07:54:10 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lomzf5cyrzrtplng5vk2d4474srct4yqocqe34odfumohqnquc3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4c1a433244a83a823b97c4739c5ef1d79f078f0072d580046e295e6c0271f464
AgentTesla
5e2b50ea71dab4a9890936aa161e9063c33aa43088bc88ed55707b6684aa0f46
AgentTesla
6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6
AgentTesla
6fefda6e593a6be7de5636905b89eef16e82b904e95bf88245ee067b84cebbed
AgentTesla
735371cde40d19b56069dc9cbf5c68e138b12bf9b188ef448abb7b36be143eb4
AgentTesla
7dc693a09183412e6567e278cad02a34b8d4779ba93fddf8c34b1daaf78400e1
AgentTesla
91c8f2961875cc9e46f40ea917b6d83c45301926d88bb8a0af857f3caedcf8bc
AgentTesla
975bd764510169b28cbde394746ed4c26b05ce0465c2184873d5e1c6e14bfae8
AgentTesla
c4b558efd2baee3e3b2e39a7b88da203d870857a8331b403b003643ab066b930
AgentTesla
ef7a8f1478e57d2dedf96a00501903b7b5a571680286502f2f329ed2c8728b2b
AgentTesla
+ 10'589 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200813-v46vszk32x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a3a541db0cc47519f8dc4b87ca7178ced6f6c503f7a3d0487f56c116ed09f6f0

AgentTesla

Executable exe 5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7

(this sample)

  
Dropped by
MD5 b151d1cc19899b4e751fcd5ca5bb0d2f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44947/
  
Dropped by
SHA256 a3a541db0cc47519f8dc4b87ca7178ced6f6c503f7a3d0487f56c116ed09f6f0

Comments