MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d3c65ee71f5ed252540489c16fa247131265123b6315730c4ab00810c5cedae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d3c65ee71f5ed252540489c16fa247131265123b6315730c4ab00810c5cedae
SHA3-384 hash: ea3bda133afa178f07eb92268e37d718dcb04cd3486f79ff68ff49f2643825995e2a81a54944b396dda5b9242d904da2
SHA1 hash: 218280c0849d1bd2b09da3aa9ff22962d5999882
MD5 hash: eb2bd9094e18edffc9c09da507dd48a4
humanhash: oranges-arizona-maryland-yellow
File name:Profoma Invoice_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:380'928 bytes
First seen:2020-05-01 11:13:49 UTC
Last seen:2020-05-01 11:56:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 6144:IRck1RT201HjPEnz9YAML6XjracCTys+ww3wbCsy74UkST6ARbXIWOiLlLuLDzHx:Ip1Ry01Hjsnz9YQXj2es+wxfQxk+bXI9
Threatray 57 similar samples on MalwareBazaar
TLSH 8F840195635C8BB3C5FF0ABDA4F2A3491332E6A365D2F7DBDDD555E00892B2126202C3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: paymontly.servers.prgn.misp.co.uk
Sending IP: 185.20.50.76
From: PO#INVOICE INQUIRY <contact@vvillowood.com>
Subject: RE: Billing Invoice: PO#12051992879
Attachment: Profoma Invoice_pdf.gz (contains "Profoma Invoice_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.48219.7284.3681.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 08:39:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lu6gl3tr6xwskjkajcobn6reoeysmujdwyyvomgevmaicdc45wxa._file
Verdict:
suspicious
Similar samples:
04ae85cfa28c705da3cac256912d78bccebaeb98a9639b3d00f38921f4cf1410
AgentTesla
10189128ff7ff4ae10111c65ca809615595304636a0d0e451ee34bf23ee900a2
AgentTesla
37e7b7329552ca9f6ab3233ebe1d8ab96c4385b941b31a21ea43c4c2b85fca61
AgentTesla
3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389
AgentTesla
68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345
AgentTesla
a1c243083cc1870948216df122047ee1a8e473d0fab33283009c0d291567ea10
AgentTesla
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
AgentTesla
a5ac47c41bd2ab3f8867c857c379044474fb5b2874f75273d58c1ab5b42a0ea5
AgentTesla
b14306aa1789a4d6b9bfa4f8c9392033ef0fc70e584addad632135f7f832dec1
AgentTesla
fc1fbab23528029108a690e17c533f4c5de405b84159d95ef976bbae3fbead7e
AgentTesla
+ 47 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz fda96a178cca9b44ae215d4c4fc995a0a9886d1e3fc8f59cce4fbf7328264c69

AgentTesla

Executable exe 5d3c65ee71f5ed252540489c16fa247131265123b6315730c4ab00810c5cedae

(this sample)

  
Dropped by
MD5 d24d0e055677beb3333cb90e682b2a35
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fda96a178cca9b44ae215d4c4fc995a0a9886d1e3fc8f59cce4fbf7328264c69

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments