MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d28a34afd24780bc33b1b17723e1d129b0d88a114fdf52e5fc8914b66c644eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 9 File information Comments

SHA256 hash:	5d28a34afd24780bc33b1b17723e1d129b0d88a114fdf52e5fc8914b66c644eb
SHA3-384 hash:	03db943bf625b962d3a91b0f71de1bb4d3fd3351ed58bf68ce99458fbb346e9c14ef460ac086563823980e8c4cbac5fa
SHA1 hash:	2b35b35609ee1db5b57925c99afc0ba71dcb5188
MD5 hash:	acb850a1ae36ee3fa296efd255bc6e46
humanhash:	early-quiet-mississippi-fanta
File name:	5d28a34afd24780bc33b1b17723e1d129b0d88a114fdf52e5fc8914b66c644eb
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	935'936 bytes
First seen:	2020-11-11 11:19:23 UTC
Last seen:	2020-11-15 22:58:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:tmTIZw9eAYDq/8DG2rLHTmIDKI0KRkw/wic:ATIZr+8DhrLz7Dv0KeUc
Threatray	10'894 similar samples on MalwareBazaar
TLSH	521523D376B69879C2285139742F3286073CA2AC9D8DCF73079FC5DE0EA759821C1A97
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Changing the hosts file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5d28a34afd24780bc33b1b17723e1d129b0d88a114fdf52e5fc8914b66c644eb/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-11-09 02:13:45 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=luukgsx5er4axqz3dmlxepq5cknq3cfbct67kls7zciuwzwgitvq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2fac92f45be30249eea9927ec6f5587580269c81d73503ce11bb8e3979fe3286

AgentTesla

5647bcd7cf243ba17f489f227328f219f77c778c9a99474e358352275b552e66

AgentTesla

a452cdb62ce6e25a0202e638112c3837fcd9fc7eb9b8d21b49fac3da79d2e27a

AgentTesla

a7a7aab77c51aa47002d095884315b579779d134a893ec6270b4e2ea83bfc921

AgentTesla

b03b486f2ea79250fce879d662f2256839349e2df4d59ed964eb493ecb6b9494

AgentTesla

b6a58bc3f41e4914190b15761baca60507bc4763dd6305c499c52f95ea042727

AgentTesla

d4f0ec801c62358eddef6f921ac704593bccd1847f34e6f0272db9f40f74adb0

AgentTesla

d8870692e7257159505b1805f3be306591ddfb635063973b1caedb236d96547c

AgentTesla

feccccd454c175c67dc7c4c0f291bf467b34355bfb9901a0a9582a448c16dc52

AgentTesla

+ 10'884 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201111-jg6ldmen4x/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

5d28a34afd24780bc33b1b17723e1d129b0d88a114fdf52e5fc8914b66c644eb

MD5 hash:

acb850a1ae36ee3fa296efd255bc6e46

SHA1 hash:

2b35b35609ee1db5b57925c99afc0ba71dcb5188

Link:

https://www.unpac.me/results/4bb752ba-a0a1-4e47-8807-4036710e105f/

SH256 hash:

571dd3a621cfc17e439d583774c2c719b8b544852a1f839d7555ea64fe43fd3d

MD5 hash:

daf7caa7cc081500ceab51367a569b67

SHA1 hash:

133e44fbf14215233e5c15cf99a2d93c481dc2a6

Link:

https://www.unpac.me/results/4bb752ba-a0a1-4e47-8807-4036710e105f/

SH256 hash:

4760a7ebd68d7ecb2d84ddf34e547ccd1408168c642710035f5c350692f3dda7

MD5 hash:

61da70e8abc948eba8d4049cee484fa4

SHA1 hash:

e358af3ea0128fc6483f1485b94d9828a985e20a

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/4bb752ba-a0a1-4e47-8807-4036710e105f/

Parent samples :

530413b8113daf9d98b232b52fa417f774812b1e2902a6c14c1a7fd4b2074482
6d3f0ca9deedbcfa8eec86ba0907881c02c986e8535b56a59b870dd8a6cafa0e
5d28a34afd24780bc33b1b17723e1d129b0d88a114fdf52e5fc8914b66c644eb

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample