MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9
SHA3-384 hash: 5cdebbbd0d3c6df716a1084c2316ceaaaccfba74d40424601c55bd91d573badeda16db34ae1d928bc8f405ce13e35828
SHA1 hash: befc8f5c33abd96dfef2f7fd576a5235c97e1ce4
MD5 hash: cd7e7619af505e6abe08a0d2ca4cb0ca
humanhash: single-whiskey-wyoming-double
File name:5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9
Download: download sample
Signature AgentTesla
Create hunting rule
File size:739'840 bytes
First seen:2023-04-04 08:45:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:s8+qYHzl06/TgTU4E7R1XFG9eHSqA/ciEIdtYHjYFss4oFrXbI0Y6MGYkC:Pel06MFE7Qca6HAbnxXbI0N1
Threatray 351 similar samples on MalwareBazaar
TLSH T16FF42316FA9387B2D8289B7968E357812731E3699323DB5F8D0215DCFBB77242312D81
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9
Verdict:
Malicious activity
Analysis date:
2023-04-04 08:40:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21d60861-2196-483e-b022-1d3d57161f96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379920/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66044689.8538.16630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed packed
Link:
https://www.filescan.io/uploads/642be3ce05c72da113b367db/reports/8fa5f796-f75b-4ccc-a357-42d504419712/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7fae2c6-15a4-45a7-a857-81d91257ad3d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207869
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 840787 Sample: NIy4hCdEr0.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 100 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 2 other signatures 2->51 7 NIy4hCdEr0.exe 7 2->7         started        11 qgnUVxrqHy.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\qgnUVxrqHy.exe, PE32 7->35 dropped 37 C:\Users\...\qgnUVxrqHy.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpBB21.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\...41Iy4hCdEr0.exe.log, ASCII 7->41 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 NIy4hCdEr0.exe 7 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        25 2 other processes 7->25 61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 qgnUVxrqHy.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 43 cp5ua.hyperhost.ua 91.235.128.141, 49701, 49702, 49703 ITLASUA Ukraine 13->43 67 Installs a global keyboard hook 13->67 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 18:41:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqokjlnkeaorrnxwv6kg3c3bb66dbxjttff5nhbugsnpi3jowguq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1249d019671494f72d4c416ce9b7cf6523ac63eca06dad4da4eaf936d3e36888
AgentTesla
1c9d0a9e692e34adb9f9de21ab971767716a73ab5e0ee2ddefb7c6fb7331fbaf
AgentTesla
259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5
AgentTesla
5ad97cec0cfff89e5357fe1635cc6418784ae83359f3aa2e2031c66c7ba8a1f8
AgentTesla
afa66b94bd6590f41c5d758c6f226aeb6a9360aad144c0e83d1a1b6c49982049
AgentTesla
b240115fa9b02dd5ef8234198d48bb6c588c1337120fca9b5fb3849768ca955a
AgentTesla
c269b1931db163462343d0ecd8ef501e35e4da91c91f1464c8d526ef07a041bd
AgentTesla
d18c9b56900681c70305abb559a6d1a645b0f3bd0238dc8e83de4a906f6aff0e
AgentTesla
deb6aedd0f43684c17b79ed15ce83535a06783b817f029a1507ff3dfea0e403c
AgentTesla
+ 341 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230404-kpavgadg99/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
5bc548e6bb612b018fe276cc92a3c876992a45f86c2e955874f34072dd106527
MD5 hash:
0283b6c1a8d2fc3df44f87b5c0fa940f
SHA1 hash:
b7202b5bf06b7eab3ce525f1f4693dc59dac9bec
Link:
https://www.unpac.me/results/2405ef1f-1c60-43d8-9682-0066a36f7626/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/2405ef1f-1c60-43d8-9682-0066a36f7626/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
e1feb16a5ef439b478f2915ad878921cdaadbb87d9992dc59f3c4fc5f2a4a74e
MD5 hash:
8bcc89128791f87bf51dee24c444b7f1
SHA1 hash:
1b0c7eaa9a7ab41c4b7adc69b59dbf915e950612
Link:
https://www.unpac.me/results/2405ef1f-1c60-43d8-9682-0066a36f7626/
SH256 hash:
42c790e86612e4e865059a70cfacbd7d5a8cd90ec19ae39c7eecf61e6497c880
MD5 hash:
6f7526581e96520eb040183081cab35b
SHA1 hash:
124a0d2e57f50eb3fbbd4f6090bdf27306fa485a
Link:
https://www.unpac.me/results/2405ef1f-1c60-43d8-9682-0066a36f7626/
SH256 hash:
a57e8885bdadd5e81912993ad15bd0b5cf1dbc652722f8f3017bba63e1ee165b
MD5 hash:
5fd7882629000662859a80191c2a9321
SHA1 hash:
060508de38530fcc3b94ba6b774360f3c4895f78
Link:
https://www.unpac.me/results/2405ef1f-1c60-43d8-9682-0066a36f7626/
SH256 hash:
5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9
MD5 hash:
cd7e7619af505e6abe08a0d2ca4cb0ca
SHA1 hash:
befc8f5c33abd96dfef2f7fd576a5235c97e1ce4
Link:
https://www.unpac.me/results/2405ef1f-1c60-43d8-9682-0066a36f7626/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c1ca4adaa20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379920/

Comments