MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 17 File information Comments

SHA256 hash:	5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770
SHA3-384 hash:	caf895f035e6e07c39d415d4231c0b0c5852d4586e14df8fb958619dd74249e903303e7298952ed28db6ec1ad9f438cd
SHA1 hash:	4ae391c4e63a66abc3e473748af8095501c64caf
MD5 hash:	96c8e0d88340a9054802fe79776567d8
humanhash:	indigo-mockingbird-harry-potato
File name:	Fiyat teklifi. YILMAZ İNŞ A,s. 07052024 YILI MİZAN Sip PO-00901 .exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	731'136 bytes
First seen:	2024-05-07 08:10:10 UTC
Last seen:	2024-05-07 08:40:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:ww6auhObxoFuPU56leQYy8Hvq9DggGfOwWy1FL6C8MydwvW7Vk4RD0g/SH:ptuhOb58eeQt8Hvq9D5GfOwWy7Fyv7Hk
TLSH	T1A5F41212B34E7B23D5BD83F9124850541BF5A86FA4B1D71C0CE750EA6BB2F528A84F27
TrID	49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.7% (.SCR) Windows screen saver (13097/50/3) 7.0% (.EXE) Win64 Executable (generic) (10523/12/4) 4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	71f0cce8e0e8d471 (11 x AgentTesla, 1 x PureLogsStealer, 1 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe

Verdict:

Malicious activity

Analysis date:

2024-05-07 09:00:16 UTC

Tags:

stealer agenttesla exfiltration

Link:

https://app.any.run/tasks/e3571fb0-d56d-4e54-8160-142e87869035

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.10325.4607.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb409229-a390-4cbc-aa4c-83b27e302994

Result

Threat name:

AgentTesla, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1437311

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-05-07 05:17:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lxdiyqec6aeetjayvidiwfjsfsmirysgf5ix73yfwyyb5kzty5ya._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

execution

Link:

https://tria.ge/reports/240507-j3aaesfh9t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Unpacked files

SH256 hash:

4909093c1045073940daf73778f88ce3e5d4dcbc0d69e3498ad4672c2e699013

MD5 hash:

28b43a10958caef0465f7b93be0a0d77

SHA1 hash:

9c85c1cb7f6face0a6c8d0a2d2314a99092d6554

Link:

https://www.unpac.me/results/2240cd8e-98ae-471d-9f42-d1de3ddcd6c3/

SH256 hash:

d32c2d6f8e7c860a49104838b7c810a0742c4e1d658ce717fc39f18d717f7c02

MD5 hash:

374a45a67fdd94898addf1c9af58d2fd

SHA1 hash:

713b72f5ea537268c5a45515ca367acb30de6183

Link:

https://www.unpac.me/results/2240cd8e-98ae-471d-9f42-d1de3ddcd6c3/

SH256 hash:

ba3bf02ebbe2a57d698ee2f46f90c2ce3432427502274fa9fa158d218b846126

MD5 hash:

d992fd3f40226173c5b9694ae95737ad

SHA1 hash:

52f41686022e529cf1df6c3c1767fa60603a4f42

Detections:

AgentTesla

win_agent_tesla_g2

Link:

https://www.unpac.me/results/2240cd8e-98ae-471d-9f42-d1de3ddcd6c3/

Parent samples :

5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770
b4146ebcc1fa90a7e4adfcabba15f5fe474348666fe15c98367216932fcfa7bf
d4e68dc6aa8c09d01c6769fb5d69ba0700962aec433adf7634aaaf9f54211799
bb62ab2391b4c5b5105b8d6928ae76bc52f25615310737967e2210b7028778e5
a60a8d9651248980e0191bab60ff352653df5cf3047b578ded01ad8096f08ffb
9876d83fb5054d3d57e3c5e6cdd6883100235625717e7b50f11a743785a24049
bbf3b7facc03ac358b1c43e2b1f5c35082958310a15d924415e5afd133d1ac0d
3979eb243225878a1331722d77eeb7d5937691a9e81322bfe24f5ae23aa855f6

SH256 hash:

58d69063e7c1778b8fe306608d01b54712dbedc6865f684d2416facc208f3f23

MD5 hash:

c684019e698444faa861bd040ec4b439

SHA1 hash:

4caa1702d5ee83ea9074198adeed93269031dec9

Link:

https://www.unpac.me/results/2240cd8e-98ae-471d-9f42-d1de3ddcd6c3/

SH256 hash:

925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891

MD5 hash:

bf426feba5a9a2f55c1a2e439b3f46c2

SHA1 hash:

4b547c42a4a14a4edac9fce0484eeff41f1ec116

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/2240cd8e-98ae-471d-9f42-d1de3ddcd6c3/

Parent samples :

7e8466ab7fd0c3ce3f6ef1df5bffa0e4fb0c9764b3c553685ca62e3d8fbb80ad
05a341609057f68b1b8297c7bdef34c889f8a92cb47b54680c8b30afc4c102d7
0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
1809301d773302b15457bfa5830b9eebfbec989867db46e9a06882af386df130
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
ce356848dbe05d9b3dfe99c857e5abae2e19ceefbbdaf32d2c786ffc434d4314
049b5a9dc73afb156d98d5087d9d728287a857420b698ed12d494a2924341667
b9f7f2043b9a1cdeca868f55c33bd83d993be160ca42bb38ac3281ac00f6ec10
7cff23ba2bec8f206920f7814f67fb40698292d87b0137c9a87dac596352aa56
566368d997e93866144f269b23a33a54d910e01c6723ea141bdf88bd9202f31a
20184d8ae4b97f301f2c135cbc53f1600d2da3952653e384aa38578a19dd1b94
d7f670f5225888ddb631d26ccdb01a8c514965d48e15f3913348db8949b606fc
0c12ddd4730b8976410d8245aeb9f69d148afa2a1ae2a761ff82ca1744dfa207
47023bf6cf58f345002a5ced2740eb0244c02d1936123079d1ea41c427d5cf90
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
c68376bcbfd140e682ba3b0f7535af83a9653b63f090718ce028a9a65514959b
622cf81d55d81ae7200c6f7353d62f9ab64a43ba762fa1b604749d85ae2a8d07
1268ff6a657c693e5b4fa2ee3aa1ffcf3f5c0449ab5468fb430a3147314e2931
331621cd29733a7586ec0ecc51705f13433e146daeeaf2fc1848f8f5e8cb1306
3130e85a4fa0df65c8ab6a310c3ea1cb2c91e4cc2cc55f77c1dfa1e606037438
9c88b2fbf7b78279ae5a1f6c4ea318e2d4620d1f6ce23d8f89b1bd3e50bc0f95
966f683a0580f7d052c49ebda86cb0fb3ea22199fa37698cc0e0fa7ac5a9a95f
cd04d0be3d3ffb70bda5e2dce9f0bcdd480e5209f000a91a473f8020eab0deff
9e40251e52536336aee3deb9b764441efff559f90a83987c3f51db874bdee361
d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5
f23060f99dbfae0f176522266f43adedd3a79eef9960d808201e472f3cf96832
0a750351ec2b43d2ff77cf94903bcb9a2fda69450d62eedf2fa4eebda26e07f2
377449ca71b8a9f0688ce1826a2b245cbafc8dcb56498eb6db9b5a973f5ef36d
307b6baff0d23da831efea1205facd7d4352fcd532edca732ac42322eabb6eb5
c5f5072d4434c3210c68708a250b1c62304f213c5f0447c010e55c6d4d6370d5
34f7239e0a54a95941f92fb3e1b027ee214ae6002773e917e23e58e28a754726
1b57a890251e57f1b1861cdecaa0c02ff83d438ea0cef15a677dfa0a67e7891e
ca7bfa1d520a6bdf0711c132a66bf28a10bad487ecbc225f69038ed95619dc86
5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770
bcdc102d9b2ee935356e5888be20ed24f5e6916f668d1847a26630223265d197
b4146ebcc1fa90a7e4adfcabba15f5fe474348666fe15c98367216932fcfa7bf
6a37c6b56b588d4bb27dc42af88e95ac60bf80a0544870cf6476c423f4eec2c1
ca1dc64bb446fe0612f320105ab988ea750a7d7c9e1e0689005925dae6d3a8ee
c6e903556bc2f879377ea0e482875eb73d980edbc156419ea3bb741647e2ae04
22227fce9d09014d3fca954bf6fba7a40cdf9bcf4b8dd13f69914fab061d0dfe
83daa016494bbc800ff8e1db308b5e3dc9c0b73daaf455a579d8268b4f44f3ed
3ba0d394c1cbc83eadb19d11c4f9bd2d831013ccae6f325eed11e18dfccd22f8
e7dbb76c52c158efa316bd2236902bfe1208e0742621b9652806bdc13ea3d6e0
203bacf22feee36e2d35a3846fce5db308f078942ce7ed5a16a9671f6138e46b
9db03971f027f14894036a6c0bc19fd875dad7387708a70623d1f3a8e5627958
8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27
1d7754c8cc8eb7df3bd429fe9806b85f7f6fbd768ff59948a1772eace6dec77c
115fc6621dd995b238916ac8629521d718fb941f0b455f019c85b1a4174f47d2
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
c28cff180b9334b37f4d59ec77dd36b6665e1a3e8f4625be51f9205e523750bd
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
28cc41b32461784fcf2bcb6d66d4ad44cdf10edd2dd8d2b2712e901d1d44ce99
9d4250be0e0211b67c9d2817e00441a0031156edf03e4cea333153275bb87519
9909d16ff5a6e59c3f55c3e4a8bc3c4fbe4fd56c728ffd1875ec602ec1ccd57c
8201ae4019ccfc7b3756ddfbed3f8fed7dc3f65fe47ca2d9b2ee67efc0d57e3e
c7a842c7d0b5d81693410eccebf67e1cbd0725fd1292dd695617494f47543f0f
1bc2001563ec7cb81fc1d7086b7d8bf36b285354015654b9ac2bcf051c68d2f7
403fb4a908a97f67ebabaa9d60f9fc520d3f3f44a892c8f3b9b9fe44edf59df2
4e3eb1a503d160b9cd151c523b34ba05c7bcbd79974a0a46fa092569db8bf2a7
11434dae7da8d82c7cfdbcd435b920c3785903e41dee470bc4e191c6c87b5489
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
f4a45365e22a84bee73e3d8339ee08f2336d76bd78c3f25cf61a08e4a4085a2e
55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f
655bf2b084f93181d47b1ffb31e944da4cd4779a2ce1a17f37286b17684677f6
a26493d2e56f50c049733bc651849a42513021b26bcf8c9fbb4b71fd0b3bac54
17cb12e355a44f0aefb9ec8069817a61f409d455129feb61b489d508c0721992
561f3664b4dcc39b1eb79236231b0e36fb5fde10c8bda6d356d2fa63925f3a6b

SH256 hash:

5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770

MD5 hash:

96c8e0d88340a9054802fe79776567d8

SHA1 hash:

4ae391c4e63a66abc3e473748af8095501c64caf

Link:

https://www.unpac.me/results/2240cd8e-98ae-471d-9f42-d1de3ddcd6c3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5dc68c4082f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample