MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4
SHA3-384 hash: c694a55c8e6b02b4de1d9e044eb385c8f16a993347f096e88b553b67755a42f4c9dfa377e35efebe7a374f469bbdbfbe
SHA1 hash: eb3dffff34cd7541128fcf77b6d6f3484d988133
MD5 hash: 725b624537a6fa7d5240a803c8c96fda
humanhash: kansas-august-hotel-fourteen
File name:send the quotation please.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:551'424 bytes
First seen:2020-07-09 11:59:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cdFOEacTaulCSRO65+A2dH669khuRuvoRNEzAp:cdFLTESRxH2dH1zswRQ8
Threatray 10'673 similar samples on MalwareBazaar
TLSH 82C402B132E55B76FA308BF45874A4858FF4B95F506AE36D8CC410CB19B1F889A10EB7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: jsnewks.com
Sending IP: 103.99.1.174
From: Lanny Hu <sales11@jsnewks.com>
Subject: PO of Jiangsu New Kasum for 2/27, Buy (F'20) order Columbia
Attachment: send the quotation please.zip (contains "send the quotation please.exe")

AgentTesla SMTP exfil server:
mail.indoreisenslovenia.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23729/
Detection(s):
SecuriteInfo.com.Fareit-FWJ725B624537A6.16500.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 12:01:07 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqfzjxtz5ufozojnvpsknecovzkxs7lss3ca6innve24zlby4dca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d0be22c9e96a4cd2a2fa90c77240c8cb74748b38ba9b5ee9891329326a21fcc
AgentTesla
14780eb585efbdc339799d90eefcb8b4b613464566f8cb3f1fed2bcb06dcd17f
AgentTesla
1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd
AgentTesla
1eeb2016c83b430e5e444f7dade67a84d441061180087ac57eb8f89d196d4773
AgentTesla
3753be46dda5f897bfbe00944241e5b7b11d77bd0e0a919ca3a751354faf6319
AgentTesla
d62fea38a73608fc3e8de4f3e16f53051f901fa56e7d3802788ca03fb9e1aa38
AgentTesla
dc67ad0f1d9092eca89d3b0efc15e17b3490f9e90e99c5df611322053ce4c709
AgentTesla
e97eb18eef4a73403afab9ba66d7d67c9fc3dd3017fe44bb2b128d935c112429
AgentTesla
ee4db51c78ef23cb198864dc44402b8b23db4392e31463f6df8991ca2454a47a
AgentTesla
f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42
AgentTesla
+ 10'663 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200709-ekbwfal736/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run entry to start application
Adds Run entry to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 868c97ec191ec424454de02ee6c74d1602596bba9b0b8ca89b319977f571e187

AgentTesla

Executable exe 5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4

(this sample)

  
Dropped by
MD5 8e80f9abd9908b9c19018cf82d05d3b6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 868c97ec191ec424454de02ee6c74d1602596bba9b0b8ca89b319977f571e187
Cape
Cape
https://www.capesandbox.com/analysis/23729/

Comments