MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09
SHA3-384 hash:	a5e40caee3671abe941b42609e5085eae0889cc82c9f3d257941089869d0110ec470b8a3ab93c7d9a11c5cdc2061aba4
SHA1 hash:	270ca4b24d1d9fe7a8d849e2b72bc50b4392a7b9
MD5 hash:	ac8381e14acd2a47422c81893164a8b3
humanhash:	mockingbird-north-paris-social
File name:	Purchase Order & DWG data sheet Compliance form PO WH 5409.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	896'000 bytes
First seen:	2020-12-20 12:08:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:kneG8cm2y5FEWWzMdw/63MLgboLUJ/UQmVj2:knq2y5iDoyLgc0/U6
Threatray	1'912 similar samples on MalwareBazaar
TLSH	4F157E6839E9705EF173EE719FE43CA5EA5EB673270B541B5013038E8A1E842CF9057A
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

From: Khalid Parkar - Alhasawi Group <khalid.parkar@alhasawi.com>
Subject: RE: Purchase Order for Umm Al Hayman EPC Project (2020- 12- 233,230)
Attachment: DLR20-530 PO WH 5409- Umm Al Hayman EPC Project.pdf.lzh (contains "Purchase Order & DWG data sheet Compliance form PO WH 5409.exe")

AgentTesla SMTP exfil server:
mail.jk-peru.com:587

AgentTesla SMTP exfil email address:
johnmuller1922@gmail.com

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order & DWG data sheet Compliance form PO WH 5409.exe

Verdict:

Malicious activity

Analysis date:

2020-12-20 12:09:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b93eb852-19eb-4db8-b723-bbbe93ca5457

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108609/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.474.23153.20644.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/566996

Signature

.NET source code contains very large array initializations

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-20 10:14:09 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lsxmfu6y4j5dgygm7r3ngd4z7vwemg4nf67qtcowfcj7zj2yvmeq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc

AgentTesla

428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0

AgentTesla

55948fede55c398fce76d97b8316d5da6f958b08746a33f0cdaf4e016f0a1e15

AgentTesla

73884bc59571b3c7199849dcdfb8330b57435a822c320d1913eb990db842fbbf

AgentTesla

9bc94d701cc45f74ee489efe7d99e84017d17a71e0232b0d14cf82c005a1ae1c

AgentTesla

ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501

AgentTesla

d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16

AgentTesla

f90cf6686fcfe69bb074cf65a5b7e19c8e97b1351377faa7a2477577d4171de8

AgentTesla

fdac92b0fe7d038bfdfa12127cae944e95dff1ef54684923785701d9e92dfaf4

AgentTesla

+ 1'902 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201220-l2lmszdhb6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

63a681a5739224e2a8d2184aee0f2672d57a99b920dbd40de6decb78b961b588

MD5 hash:

fc6398e3e937efd3ec3b835312111b12

SHA1 hash:

1df5edc9d3e24de6032d3569db24c58f79f65476

Link:

https://www.unpac.me/results/95bd6bc5-dcf2-44e6-830d-5b5d3304743a/

SH256 hash:

ba4abdf257008bb406b736660eb5dfd54c9675f155ba189ae6da9dcac27a2139

MD5 hash:

607cabaac5524db950e8de4c7c7ef347

SHA1 hash:

5b1a60a79535a972e9df3841a1c3e1c637c736c6

Link:

https://www.unpac.me/results/95bd6bc5-dcf2-44e6-830d-5b5d3304743a/

SH256 hash:

175c8544afdc2dcd7bcbe05c08ff29f44800418890b05bac68ee3571086ec6f2

MD5 hash:

957d3adeaf6693284c5d7e20b137cf21

SHA1 hash:

69a69f2e954b340be8b8ebca9cdf95ff2589ff9d

Link:

https://www.unpac.me/results/95bd6bc5-dcf2-44e6-830d-5b5d3304743a/

SH256 hash:

e308e4625c3ed05899f9533d616cacff5a61c6a082c32719ad8ad952dbbc2f32

MD5 hash:

42c367b9b03a968fa49ff429463f95c9

SHA1 hash:

c1d6535715663dc8d51ef0aaec732a7dfda04676

Link:

https://www.unpac.me/results/95bd6bc5-dcf2-44e6-830d-5b5d3304743a/

SH256 hash:

5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09

MD5 hash:

ac8381e14acd2a47422c81893164a8b3

SHA1 hash:

270ca4b24d1d9fe7a8d849e2b72bc50b4392a7b9

Link:

https://www.unpac.me/results/95bd6bc5-dcf2-44e6-830d-5b5d3304743a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ba3f294111b0c0e6d43a1d997ebdea1b224478100bb31951a90fd3c40094368f

AgentTesla

exe 5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09

(this sample)

Dropped by

MD5 83bf776efcc054cf41b33c086330e4cc

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/108609/

Dropped by

SHA256 ba3f294111b0c0e6d43a1d997ebdea1b224478100bb31951a90fd3c40094368f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample