MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d567a17efdfd5b798013424d36c0e2d32a20ba610dcaa0011d7aad2eaa6b4e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d567a17efdfd5b798013424d36c0e2d32a20ba610dcaa0011d7aad2eaa6b4e8
SHA3-384 hash: 04462b31314a98ad697a21956405de2891567e44e79f6c1537dbbe36c2f6f5a9e75c947fcd49c0c39c6cead41d670e47
SHA1 hash: 0d571d09dc9fe8a393fc6135eac337d2d385941f
MD5 hash: fbf4769b141697d86de6b96bebd8cb86
humanhash: don-beryllium-hawaii-pennsylvania
File name:43949785_98147_SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:337'408 bytes
First seen:2020-07-13 06:23:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:d+MmwWHrjcsRyuP1kXx4jkLkL5dT48GNMFhKVSaVlFOkoPKi2HWgmEtKD:grVrYsRyuNI4AgY8/SSa3FOdPD2HW3/D
Threatray 295 similar samples on MalwareBazaar
TLSH 38741206434B8B26CDB24D35FC114B16C77B6B93B5C2F35E471A378649BAB891F06A32
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: damacproperties.com
Sending IP: 95.211.208.25
From: Damac lee<atyourservice@damacproperties.com>
Subject: DAMAC – Payment Notification
Attachment: 43949785_98147_SOA.rar (contains "43949785_98147_SOA.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24975/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WUO.2091.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d567a17efdfd5b798013424d36c0e2d32a20ba610dcaa0011d7aad2eaa6b4e8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 06:25:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lvlhuf7p37k3pgabgqsng3aofuzkec5gcdokuaar26vnf2vgwtua._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1b63db723d1957b88d6199fb5ea958f28de43333d2482a137c5b73b8be78a4a0
AgentTesla
5056afb57576d4fc72369a0c11d434406085f7e62f773f3db7e297061cba717a
AgentTesla
701bb7d545df1a98de90d0a414a90c7f09538fe02f32e8ffc4c6312aab8349c5
AgentTesla
75ce329091d54aa2fcf6cd6f58704493e0f4ac878279c49db239140051341931
AgentTesla
77ed644af65306cd4cea3eddf6019e5626fe16cbbd0f8c49d76dd21e9683ae5f
AgentTesla
aa5bb63c10ba7512a7f1612ca4b89768023be9fe17bcdf07665ec06640ca242d
AgentTesla
b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1
AgentTesla
bac6ef51da1ca402c3cc71dee9ea466911aa1f2d75dcf5f0b31d29ab3350e015
AgentTesla
cf4cf0f064bbd1115fdee0971c7ffc9a474984eeda8107040589b425ae1a6605
AgentTesla
d12fda0c8cf02474c474c6cbeba40591ba336a7fdf8d3f164493e5f6200f77ca
AgentTesla
+ 285 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200713-zpcmamqstn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 48fa920b95c78f7e5d703381109191ba1aa2b552980e0d995e9aae58d8742255

AgentTesla

Executable exe 5d567a17efdfd5b798013424d36c0e2d32a20ba610dcaa0011d7aad2eaa6b4e8

(this sample)

  
Dropped by
MD5 ca145d63e92f31fcdb37f3643672aff5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24975/
  
Dropped by
SHA256 48fa920b95c78f7e5d703381109191ba1aa2b552980e0d995e9aae58d8742255

Comments