MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ce6f6af37375fd20a6d300d5840e3f744ce58ddbab1cf9757193e2996969f75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	5ce6f6af37375fd20a6d300d5840e3f744ce58ddbab1cf9757193e2996969f75
SHA3-384 hash:	999741e611ded7438af27c42655b2d49fa446488b370d78b0230680d45170659487e8d3f68c5ae181c528464dbc2609c
SHA1 hash:	5e63409f407eaf2f6bb551d7f78549661350a640
MD5 hash:	d247af18d0d5371f9aa181b69c6bd292
humanhash:	jupiter-green-helium-princess
File name:	Request For Quotation.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'338'368 bytes
First seen:	2021-06-28 16:42:34 UTC
Last seen:	2021-06-28 17:42:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	3072:7lSqfUfxxsxp2r24ImUvVBpWu0d7sf3JpQuV7W7EI/fLsXzcgw7zHwgmKhgB3ZhW:oqAxopv4TEGuJ4uZhILsIg2MFhEVD
Threatray	6'173 similar samples on MalwareBazaar
TLSH	6655AD3D19BE123791ADD3898BC98C2FF840DA7B70117E7898D753A58706A8379D213E
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Request For Quotation.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-28 16:46:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/baf60f29-67cb-4591-a1a3-a23d34b38b26

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/168612/

Detection(s):

SecuriteInfo.com.Variant.Bulz.537793.22465.29108.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6ac583c0-43bf-4617-9d87-2f80f9b1d648

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/808942

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5ce6f6af37375fd20a6d300d5840e3f744ce58ddbab1cf9757193e2996969f75/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-28 16:42:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lttpnlzxg5p5ectngagvqqhd65cm4wg5xky47f2xde7ctfuwt52q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

139b45e28f607540025fe34f231747fdbb1e4898dae4ecfa1201a549b3380a11

AgentTesla

164626dcf1ca91f5dc55a6ebd20e6fff394b8fddfa10b9ffcaf974d1540f751a

AgentTesla

78008d64624218312c132200cdf40e1b516c94d43beac16474b156fc0425a10b

AgentTesla

782e217ec684944693a03a56d29675c879b31fb570c5f9956552ba5968295463

AgentTesla

8e0a42940b1c3699bf4c04814773e6c9969b75225295560b4a112e210e63851a

AgentTesla

9e33ca4eee3b2499f384dcfd926f97675258157bbdbeaa5c6720abc746c77d2c

AgentTesla

b31b611ecf161896ad21d9cef18fc7679c5e2f32abda7ee936e0170655889363

AgentTesla

cb866da199696cea1ffe6bd8498c1d2bcf3dd75772291e0d454c4e82c6a51272

AgentTesla

ee7a0cf007ee363a95866367044de119f54cd342775f2c5ab278ee1ea0d9ec48

AgentTesla

+ 6'163 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210628-x8dtzf19e2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/b8e8a06f-3714-4d5a-bf8c-dac7275ad122/

SH256 hash:

db50ee9023389bf6fcd22055bc7417dd960a571800f8b78df770ff1e9341d1b3

MD5 hash:

51f212d5c07c5ad29e0d9f8ad39eaf24

SHA1 hash:

8775e6bd5a78a55987879f72c71dc38ad53a9775

Link:

https://www.unpac.me/results/b8e8a06f-3714-4d5a-bf8c-dac7275ad122/

SH256 hash:

d44df538e8b1cd22f2260cf83847bea5797cd10336c4fb75887e77d7bb64ce6c

MD5 hash:

7951c918f1880b887ea1bb2bfd910684

SHA1 hash:

4c90e8a79cbb78b514c59e15610f923cfca64156

Link:

https://www.unpac.me/results/b8e8a06f-3714-4d5a-bf8c-dac7275ad122/

SH256 hash:

5ce6f6af37375fd20a6d300d5840e3f744ce58ddbab1cf9757193e2996969f75

MD5 hash:

d247af18d0d5371f9aa181b69c6bd292

SHA1 hash:

5e63409f407eaf2f6bb551d7f78549661350a640

Link:

https://www.unpac.me/results/b8e8a06f-3714-4d5a-bf8c-dac7275ad122/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ce6f6af37375fd20a6d300d5840e3f744ce58ddbab1cf9757193e2996969f75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/168612/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample