MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c8ba975c1ec2a2fe0c98e5e1cd0ba61b415ba7667f5a7c95ad383abe4ba92a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c8ba975c1ec2a2fe0c98e5e1cd0ba61b415ba7667f5a7c95ad383abe4ba92a2
SHA3-384 hash: f9190cfb16797d9d30b49ba445167cb63e65a85dced82152b5a01d0631dcb5dc4ee267743bc614747749796e1b1c29d8
SHA1 hash: 7079bbb6b051a157af5d22b49e0c1b8a4f67c352
MD5 hash: d84c69a27cb7a1c08dbd50fe1180998e
humanhash: cat-video-monkey-south
File name:Trial order Request Items for confirmation - 20201027.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:57'536 bytes
First seen:2020-10-27 09:59:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:1kA+t9JMWQLzI3SnXRzBl2kyCtnvbJjXUf2hrI:1kA+amShzBl28nFjXUfWI
Threatray 797 similar samples on MalwareBazaar
TLSH 2D4394A5B3F9A846E9D8153CF1CEC5E009A2598137B993839C9C0F9B67837522F6F10D
Reporter abuse_ch
Tags:AgentTesla exe SendGrid


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: xvfrhtwb.outbound-mail.sendgrid.net
Sending IP: 168.245.7.155
From: info@em3294.lazertint.co.uk
Subject: TRIAL ORDER REQUEST
Attachment: Trial order Request.z (contains "Trial order Request Items for confirmation - 20201027.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Dtloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79764/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513220
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305724 Sample: Trial order Request Items f... Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 71 Yara detected AgentTesla 2->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->73 75 Machine Learning detection for sample 2->75 77 7 other signatures 2->77 8 Trial order Request Items for confirmation - 20201027.exe 24 6 2->8         started        13 Trial order Request Items for confirmation - 20201027.exe 2->13         started        15 Trial order Request Items for confirmation - 20201027.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 59 www.google.it 172.217.168.67 GOOGLEUS United States 8->59 61 pastebin.com 104.23.99.190, 443, 49712, 49721 CLOUDFLARENETUS United States 8->61 69 2 other IPs or domains 8->69 57 Trial order Reques...tion - 20201027.exe, PE32 8->57 dropped 79 Creates an undocumented autostart registry key 8->79 81 Creates autostart registry keys with suspicious names 8->81 83 Creates multiple autostart registry keys 8->83 19 powershell.exe 8->19         started        21 powershell.exe 25 8->21         started        23 powershell.exe 24 8->23         started        33 4 other processes 8->33 63 104.23.98.190, 443, 49719 CLOUDFLARENETUS United States 13->63 65 172.67.142.40, 443, 49715 CLOUDFLARENETUS United States 13->65 85 Adds a directory exclusion to Windows Defender 13->85 87 Hides threads from debuggers 13->87 89 Injects a PE file into a foreign processes 13->89 25 timeout.exe 13->25         started        35 2 other processes 13->35 67 104.27.181.69, 443, 49717, 49718 CLOUDFLARENETUS United States 15->67 27 timeout.exe 15->27         started        29 timeout.exe 17->29         started        31 timeout.exe 17->31         started        file5 signatures6 process7 process8 37 conhost.exe 19->37         started        39 conhost.exe 21->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        53 2 other processes 33->53 51 conhost.exe 35->51         started        process9 55 timeout.exe 37->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c8ba975c1ec2a2fe0c98e5e1cd0ba61b415ba7667f5a7c95ad383abe4ba92a2/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-10-27 10:01:06 UTC
AV detection:
28 of 48 (58.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsf2s5ob5qvc7ygjrzpbzuf2mg2blotwm722psk22ob2xzf2skra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e998a143797b2949946d9ff71667c220fad713935636046fc7a609928784f9c
AgentTesla
459838dd5e98a4fe8c51d2d0c3c7850319b1a13cb41f568aa0cf6cb0bba6e9ef
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
63e8813f98c05a02ae1c868adf8ca82aabc49e5eadd33368f036440d4116849e
AgentTesla
755bcfb03ddf8019aca959a1a5f46f1e2a8b5e10cce049ce8b80e8f4daaaa143
AgentTesla
8f416a96a4a8475bd8486d264aad1bb73ad020db8e7e1d0f268432684096511b
AgentTesla
97a4e627e5182df35863f15f757d3de6f98fb7f3d94664a751df46a9d0b1eb8a
AgentTesla
c754f76eefb0ac8ba7da335bbdc3e50ce786a331f41056215367418fca46c1a5
AgentTesla
f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3
AgentTesla
f7c8cbe0001970e2d04206389e637df25bbded7928fefae62ba910efb216bd2c
AgentTesla
+ 787 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence spyware
Link:
https://tria.ge/reports/201027-nexhb51bya/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Turns off Windows Defender SpyNet reporting
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z d4a2264238f61f5e76883bfe7f10067618ba11b0b0065b240a4a08adbca40f8f

AgentTesla

Executable exe 5c8ba975c1ec2a2fe0c98e5e1cd0ba61b415ba7667f5a7c95ad383abe4ba92a2

(this sample)

  
Dropped by
MD5 5c89d38c3e18bc78b6766cbe21f83253
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d4a2264238f61f5e76883bfe7f10067618ba11b0b0065b240a4a08adbca40f8f
Cape
Cape
https://www.capesandbox.com/analysis/79764/

Comments