MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cca2b13030b0165de54ad5e9cac2d828985d995030a90a1e8093179aec6e815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cca2b13030b0165de54ad5e9cac2d828985d995030a90a1e8093179aec6e815
SHA3-384 hash: dbcc62c415eaa560682b06b6c86bf8a805eff9db2fd5c8af129aee64703a7cac50d83f5e88069b4b71e1290c74f546c4
SHA1 hash: ac7e2b17ea1c7c1f65e4af1528e022bee4672ca9
MD5 hash: 4fcbe0c8b85c71ecd91fe4e198bc6f6c
humanhash: seven-undress-leopard-eighteen
File name:hesap ekstresi_22-06-2022.doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:142'848 bytes
First seen:2022-06-23 05:54:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:LbK1eGEDg3CFl5UiDDZGc0RigCAg2KlU2zv65orL9pKk+cz6VI6x1nCqMlgI0D7k:LbcSQCFLIfDCbllUmxsNLI6XHMwM
Threatray 18'773 similar samples on MalwareBazaar
TLSH T1BFD37BFAB76E96D0C1D44A36C0FE654403B88E932503CE36657A37591A32FEBD84F581
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8f0d9db596988e8 (1 x AgentTesla, 1 x AsyncRAT)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282534/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Сreating synchronization primitives
DNS request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b4003b62d792dc573e5985/reports/91187bc5-b76f-4c7d-a172-e94574ca07ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83c6f468-4781-4dd0-af7d-39e2d4074ffc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1018414
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 650914 Sample: hesap ekstresi_22-06-2022.doc.exe Startdate: 23/06/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 10 other signatures 2->42 7 hesap ekstresi_22-06-2022.doc.exe 15 4 2->7         started        process3 dnsIp4 26 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49724 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->26 28 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->28 30 3 other IPs or domains 7->30 24 C:\...\hesap ekstresi_22-06-2022.doc.exe.log, ASCII 7->24 dropped 44 Writes to foreign memory regions 7->44 46 Injects a PE file into a foreign processes 7->46 12 InstallUtil.exe 14 6 7->12         started        16 InstallUtil.exe 7->16         started        18 cmd.exe 1 7->18         started        file5 signatures6 process7 dnsIp8 32 api.telegram.org 149.154.167.220, 443, 49753, 49754 TELEGRAMRU United Kingdom 12->32 34 192.168.2.1 unknown unknown 12->34 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->58 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cca2b13030b0165de54ad5e9cac2d828985d995030a90a1e8093179aec6e815/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 14:26:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
12 of 26 (46.15%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltfcweydbmawlxsuvvpjzlbnqkeylwmvamfjbipibeyxtlwg5akq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16e6086897059d30ddde828b6c5e435c045a281b3f3065e348b080377f55c33d
AgentTesla
61a5a7c75af64b616ee9db1f6baa01a4e2d85c94b5cf2714d9919c70e32df9e4
AgentTesla
833bc9d8136b99b89efede166085b55f1f855062d2429b32ddf12ef0082299ec
AgentTesla
924f61ba19c7ee9f31bb66a3ca14aa9bc573e193043720cbb368b6e2fa5be2c7
AgentTesla
9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43
AgentTesla
ac2f476e62ca13d4e3993027da7e7815d319b638c1aed5f0dc4f8e864b99609a
AgentTesla
ae240fef9bc0a045767eccd95b0de70a279917717b5c2b34143cc22a51265b59
AgentTesla
b7160ba1941eb48c0c3b3372d77fbc82affb681e787111d3ecc96fdf4facb8cb
AgentTesla
e2ea826b61a7ac96a22368ae6cd3164c159681479ad506401998c478e18844e4
AgentTesla
+ 18'763 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220623-glv5fsbhcl/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5229869883:AAE7gO0ZMLqyU073jAOnc84IqEvPIfYnqyM/sendDocument
Unpacked files
SH256 hash:
68122669d37d620495235f9c6def841aa81b17c7b4f4bc8b30102377ff6e52ae
MD5 hash:
95684c332d0f57a69c8a3fe62a18ad79
SHA1 hash:
578128ff6d91668d9761b65a962f7aa576b187dc
Link:
https://www.unpac.me/results/200b828b-3ae1-4338-b953-30c14fb88ad1/
SH256 hash:
5cca2b13030b0165de54ad5e9cac2d828985d995030a90a1e8093179aec6e815
MD5 hash:
4fcbe0c8b85c71ecd91fe4e198bc6f6c
SHA1 hash:
ac7e2b17ea1c7c1f65e4af1528e022bee4672ca9
Link:
https://www.unpac.me/results/200b828b-3ae1-4338-b953-30c14fb88ad1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5cca2b13030b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5cca2b13030b0165de54ad5e9cac2d828985d995030a90a1e8093179aec6e815

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5cca2b13030b0165de54ad5e9cac2d828985d995030a90a1e8093179aec6e815

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/282534/

Comments