MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c1b7cc52b8ac8b99912ecaea6212aa3ac09664d209e1b7de80e9b44d00f7d86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c1b7cc52b8ac8b99912ecaea6212aa3ac09664d209e1b7de80e9b44d00f7d86
SHA3-384 hash: 063f8614d99ea67f2818ad80e6a14e0afc8ddb14ab42ae6acaa21ac7be2d5b0de3a1affc37456e09ca86974944031d8c
SHA1 hash: 8a381a366d9ce8cb4f845e22632f5f6973b3e2f2
MD5 hash: 3dec2a472c39b1722fc815252af3d276
humanhash: cup-sink-green-butter
File name:caleb tele 4.0 new.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:219'136 bytes
First seen:2020-10-22 07:33:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:JMnraf/XrLUrNvD/wqawm41ZnfjUPolUDTJ2mKL9CsOse1YGp5MA5jgv3sotoEpi:9fvXUR7mKnfjUwwc75CsTsX5z5jgPso
Threatray 723 similar samples on MalwareBazaar
TLSH 50241856178D9E20CB7E0378C057821837F18633876E928F6AA2D8FE1B456CEFD1A5D1
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: tonythompsonracing.co.uk
Sending IP: 45.147.230.204
From: Katie Bridges <sales@tonythompsonracing.co.uk>
Reply-To: Katie Bridges <sales@tonythompsonracing.co.uk>
Subject: NEW PO 45000875889
Attachment: 456700087588.img (contains "caleb tele 4.0 new.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74535/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c1b7cc52b8ac8b99912ecaea6212aa3ac09664d209e1b7de80e9b44d00f7d86/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 10:17:34 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqnxzrjlrleltgis5sxkmijkuowaszsnecpbw7pib2nujuappwda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d708c83b36fe0c753363337dcd0a940e8e9ce2927a9847e56deed6b98fa5b5d
AgentTesla
1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e
AgentTesla
66c8e38b2f545edd7660168b8e778c165f200867abb90cd07c2f033ea1ae8405
AgentTesla
6853956661336de789939b113160c9316bc33c213c6633cc98636f107616e538
AgentTesla
7f717f3d6242070c4f59575f510fa366e5cbd6c17ad484c0735fca89e365a351
AgentTesla
97a4e627e5182df35863f15f757d3de6f98fb7f3d94664a751df46a9d0b1eb8a
AgentTesla
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a
AgentTesla
ed0e31210d186d28b6ebead24d3c9721807d8cbc3bad6c2da8f8f7a4f53bc238
AgentTesla
+ 713 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201022-gypm8kawsn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
5c1b7cc52b8ac8b99912ecaea6212aa3ac09664d209e1b7de80e9b44d00f7d86
MD5 hash:
3dec2a472c39b1722fc815252af3d276
SHA1 hash:
8a381a366d9ce8cb4f845e22632f5f6973b3e2f2
Link:
https://www.unpac.me/results/1607ecfd-468c-40ec-b77e-e457a09367c9/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img cbfca6478ff8a650aa39ce3248bfdbfaaca2f91ac05949d13790462379b7f160

AgentTesla

Executable exe 5c1b7cc52b8ac8b99912ecaea6212aa3ac09664d209e1b7de80e9b44d00f7d86

(this sample)

  
Dropped by
MD5 f9e24b393e04154ddb3cadcb47eaca55
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74535/
  
Dropped by
SHA256 cbfca6478ff8a650aa39ce3248bfdbfaaca2f91ac05949d13790462379b7f160

Comments