MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067
SHA3-384 hash:	94fd984e00be85149d133417bdab0c6033c20440af6d4c71ef2181f389243b8b48a4102a6f1b539de08d4bf1c827d4c0
SHA1 hash:	80331853c5503522e775aa7ef10317a14595158d
MD5 hash:	2fad9d22d71aa2c94ee5b6ef0287440e
humanhash:	green-hotel-cold-july
File name:	PAYMENT_ADVICE.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	713'216 bytes
First seen:	2023-05-10 18:48:32 UTC
Last seen:	2023-05-11 07:19:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:XFmDIzln4wgNAqcDZ2ITVh4LhIMA4PDT3XWGl3VlVT6QdtaTlW:1mDId4wqANDI8S3f3BBVRtaT
Threatray	3'374 similar samples on MalwareBazaar
TLSH	T1B2E4E185433BEDE1EA641B70210478525F6DBD1A74F8B0FC7C5BB888C9BB5120AE9763
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	3119113da9a9a929 (8 x AgentTesla)
Reporter	TeamDreier
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

261

Origin country :

DK

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

PAYMENT_ADVICE.exe

Verdict:

Malicious activity

Analysis date:

2023-05-10 18:52:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fc2cb7e1-a453-4cbb-adc6-b35ab50afc19

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox XorStringsNET

Detection:

XorStringsNET

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/388265/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.23304.1786.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645be7296031b4f2571fe716/reports/05fdb837-388d-4f7b-9ae2-4251415599bc/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f5ca5ae7-3776-46de-9c1a-153d6670c2cc

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1230320

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067/

ReversingLabs TitaniumCloud Win32.Trojan.Xorstringsnet

Threat name:

Win32.Trojan.Xorstringsnet

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-10 16:18:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

18

AV detection:

21 of 36 (58.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lrk65rxrfktavqbfidv3fl33o6ancsgxnid22j57vugu6o6bubtq._file

Threatray agenttesla

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

Similar samples:

1a3b961a9b5d76e0028382423f14a35192cda3d3a6dee88fb812c90b1971bf2a

AgentTesla

21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751

AgentTesla

2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b

AgentTesla

4634594a43ca9d6f4630aecf8a17a04a1b2e942cafa3080a4064e2ec7741bd5f

AgentTesla

57ff6de510ccaa060efa53e2c9e1c1b8c3b132fa55289a8a7ecc321a5370043a

AgentTesla

7b96a1bf0bc01fdb25ed2343448b412df9e154cec081970bf360096b995be9f6

AgentTesla

8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357

AgentTesla

e5615a6c90478a371040d8f7d4721e183b5efcc0b0e6ce64b7ab4ee1d04bf0be

AgentTesla

fd6a88c61e8b5b68f3f70d8aab48dabdfc21d96d81f823647d310ccbe1fd968a

AgentTesla

+ 3'364 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230510-xgb4sahg94/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6277498666:AAH4URlmeSysUKKZG20OTvrve55BRMLEu_o/

UnpacMe AgentTeslaXorStringsNet

Unpacked files

SH256 hash:

3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35

MD5 hash:

8a2c496875c0871aecc16aae768b323f

SHA1 hash:

f5423a32125c70b512de301c5616c7b75477e2e7

Link:

https://www.unpac.me/results/5b31cfd7-ff57-4151-b71b-a0e190b86072/

SH256 hash:

4e76768f1b14f4be27b0c8d88a834060d2c8acf65f02450067dcc1b122890f08

MD5 hash:

2ad3229dcc06aae3903a1e83454f8266

SHA1 hash:

792d17d953638092ffe06b9d91047911c63c97e0

Link:

https://www.unpac.me/results/5b31cfd7-ff57-4151-b71b-a0e190b86072/

SH256 hash:

f9021a9e1610a19bafd9f21c3ae02c8d4311e51c26088bad0b4656d12696269f

MD5 hash:

10a323a5614f656ff87524ec3a3954ea

SHA1 hash:

31fe827daa419d117c8ac75fff8253c57cb014d7

Detections:

AgentTeslaXorStringsNet

Alert

Create hunting rule

Link:

https://www.unpac.me/results/5b31cfd7-ff57-4151-b71b-a0e190b86072/

Parent samples :

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067
0e77fc7adca97943ad5bca6f1cd20d05e80bcdda01b29087bf1d6fccd4379063
b3fbab4d8090fb6109b890d24c1e457db6e3f6bd5e17c6be2f2cb8448d53d5ab
92a4f2858bb9f3e546b315c52ee4e07903125b02f55c23cc8ae3e32e2012b2e0
577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56
d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74
f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd

SH256 hash:

cc7c6ca1af0041a62924a7be821df773aec2420ee88a9891a5cee0c7de20b9d2

MD5 hash:

6c2bbcd430d01d7aa97042c2651c90f7

SHA1 hash:

2c30a240afcee75e1b62d1db1784fd24669c6c91

Link:

https://www.unpac.me/results/5b31cfd7-ff57-4151-b71b-a0e190b86072/

SH256 hash:

b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4

MD5 hash:

7b6143d9d94c8b80d191b77d8b6d1ba2

SHA1 hash:

1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b

Link:

https://www.unpac.me/results/5b31cfd7-ff57-4151-b71b-a0e190b86072/

SH256 hash:

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

MD5 hash:

2fad9d22d71aa2c94ee5b6ef0287440e

SHA1 hash:

80331853c5503522e775aa7ef10317a14595158d

Link:

https://www.unpac.me/results/5b31cfd7-ff57-4151-b71b-a0e190b86072/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5c55eec6f12a/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/388265/