MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cd5e38a27f98e7f6576bb0b26e97d9fac24388fd048d68f2114a4b3c7ed04fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cd5e38a27f98e7f6576bb0b26e97d9fac24388fd048d68f2114a4b3c7ed04fd
SHA3-384 hash: 2a944664aae4993547d942213121a8ef3116517dfb035a711cb9790b79bfffc1350e45c0a68ed573a566f0eb6419e79a
SHA1 hash: 8c0063552c98fa6b1aeef15582f8d5f00fbb2d9a
MD5 hash: b44ad81de7956e1e618074bca028efc9
humanhash: south-missouri-zebra-washington
File name:SecuriteInfo.com.W32.AIDetectNet.01.19263.3526
Download: download sample
Signature AgentTesla
Create hunting rule
File size:870'912 bytes
First seen:2022-07-18 13:37:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0Ky4oNfbFVNzB0WW0ysuBsNyUj8I4BIclfR8vnchGWzVb2gb3IU3FnTaFlSNS:ITNl0oyBsNyUj8IPOfjh9NTaQS
Threatray 17'669 similar samples on MalwareBazaar
TLSH T17D05F111B6678D12C2744BB7C5E7550007B46B43B162E74F7FCA22DE0E123EA4AC6B9B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291583/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.19263.3526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d562ba35a7f711464ff17b/reports/9053be45-f54d-40b5-be04-691a3e9662f7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15dea805-55d7-49a9-a086-83bd18fe1849
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1035775
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668269 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 6 other signatures 2->47 7 SecuriteInfo.com.W32.AIDetectNet.01.19263.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\...\xAxAGtqcQSyg.exe, PE32 7->27 dropped 29 C:\Users\...\xAxAGtqcQSyg.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp2560.tmp, XML 7->31 dropped 33 SecuriteInfo.com.W...et.01.19263.exe.log, ASCII 7->33 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 2 other signatures 7->55 11 SecuriteInfo.com.W32.AIDetectNet.01.19263.exe 7->11         started        15 powershell.exe 22 7->15         started        17 powershell.exe 24 7->17         started        19 schtasks.exe 7->19         started        signatures5 process6 dnsIp7 35 smtp-msa.hostinger.com 34.117.234.7, 49792, 49797, 587 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->35 37 192.168.2.1 unknown unknown 11->37 39 smtp.hostinger.com 11->39 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->57 59 Tries to steal Mail credentials (via file / registry access) 11->59 61 Tries to harvest and steal ftp login credentials 11->61 63 2 other signatures 11->63 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5cd5e38a27f98e7f6576bb0b26e97d9fac24388fd048d68f2114a4b3c7ed04fd/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 10:03:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltk6hcrh7ghh6zlwxmfsn2l5t6wcioep2benndzbcsslhr7nat6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
115b57c25f8e7cb980b3f3282feab5d182024a7a71d7d021e1d2a0faa7bde518
AgentTesla
47f66c434fd02690b1847b161ac20e46f5cb2ec9050a961cac72997a548e75d1
AgentTesla
6d683bd3a2a79763dfa70a69655ce558e947d4a455b26dc9de747b1d7ebb5921
AgentTesla
96f58f7de3586db2204d85ddce02f7ef5c72b92fd9ab314b590752ddca7cf941
AgentTesla
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
AgentTesla
abd0a804168a65ceb8827d34d11b58601eb5d947637ee9fdd2dffa3a4afc9961
AgentTesla
bcc6ba14b357c5f88e7e495d16411be6d488918c743214018db2c8e45961fd94
AgentTesla
cc355fc1b46dccf580e160778acdfd476c848f22acdeeafd8e5dac7c8f734913
AgentTesla
ee62dc596e4b4fe76f8e015ac250d696a483f656ebb02d02815520b3fd560e30
AgentTesla
+ 17'659 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220718-qxdh8aecam/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d214eeef7053b4c657b114a8029030a95b8baf2fd32c79ccb9a17a92a999a877
MD5 hash:
15039c1203626aa5f27f8b2a61c1b32b
SHA1 hash:
a24c613176e4b8d1d951803fa797b5e400a02476
Link:
https://www.unpac.me/results/806487b7-089b-4ee8-9a9a-df3d9c49ac17/
SH256 hash:
5029c32d188574a182cf1832cf73e54857806c4f63aada05487a5223c353e6cd
MD5 hash:
7a627c173a725b046e01c4a2d5b48f84
SHA1 hash:
6c7bcd729779ab2a683633b8aca550bcc857272f
Link:
https://www.unpac.me/results/806487b7-089b-4ee8-9a9a-df3d9c49ac17/
SH256 hash:
eeac023421634dccdecbf234034f65965432acce353ce712e9eaf808d0f8327b
MD5 hash:
ffae9ef7dba3cf7648ce54a23e75aa25
SHA1 hash:
5d8dfc270b151b7b282dacc2d1c2e90fbb3bc23b
Link:
https://www.unpac.me/results/806487b7-089b-4ee8-9a9a-df3d9c49ac17/
SH256 hash:
781c78f48dc35cb66432bd1826965cc59fb100d4d12c04432a2c92361f8364c3
MD5 hash:
4bfe50310c7b0dd87da13cc6109f0190
SHA1 hash:
2e3cfcf114927e004ea7788b29e5dc45c5f9e246
Link:
https://www.unpac.me/results/806487b7-089b-4ee8-9a9a-df3d9c49ac17/
SH256 hash:
62fb737ed865e4a9f9bd8b615c35eb3a377ac6b7f186e414579fd672b1318b59
MD5 hash:
f719e52f54ec85fa8e8608435db7c03d
SHA1 hash:
25c84a0f5b88323f2bc7bd9146e64111da675d00
Link:
https://www.unpac.me/results/806487b7-089b-4ee8-9a9a-df3d9c49ac17/
SH256 hash:
5cd5e38a27f98e7f6576bb0b26e97d9fac24388fd048d68f2114a4b3c7ed04fd
MD5 hash:
b44ad81de7956e1e618074bca028efc9
SHA1 hash:
8c0063552c98fa6b1aeef15582f8d5f00fbb2d9a
Link:
https://www.unpac.me/results/806487b7-089b-4ee8-9a9a-df3d9c49ac17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cd5e38a27f98e7f6576bb0b26e97d9fac24388fd048d68f2114a4b3c7ed04fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291583/

Comments