MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd
SHA3-384 hash:	b0a7f691a647437caddfd701e868ce572feafa02f24fa92f50e432f0a5be5663ac29d36464b07df28e135b37db32bf8a
SHA1 hash:	18254fc83a340ca9562844542425ed7f995bff4a
MD5 hash:	2e1fcfb191508fc51320313d059bd30d
humanhash:	utah-papa-victor-magnesium
File name:	file.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	221'184 bytes
First seen:	2021-01-13 14:23:15 UTC
Last seen:	2021-01-13 15:42:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:9+6f5r9AGcfqVIN6uKWqu6XqXn1U/5aB250tS7xKrRkgF973P4tXJVgX3BmlMTSz:lrSN6uKWqu6XKUk80eQrN90tXLGB7kU
Threatray	2'136 similar samples on MalwareBazaar
TLSH	66242A5A6715D561CB6F527EC01A821831F1E703972AD38F59A2D8EA1F832CDF90BCE4
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file.exe

Verdict:

No threats detected

Analysis date:

2021-01-13 15:55:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6959600e-7b5c-4d95-9040-c7ab0de95637

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/111788/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.28413.18771.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Changing a file

Creating a window

Launching a process

Sending a UDP request

Searching for the window

Creating a file in the Windows subdirectories

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/580170

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Installs a global keyboard hook

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2021-01-13 14:23:05 UTC

File Type:

PE (.Net Exe)

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lxlauwrol4duinoliogt4iu5di6e4txtlsoiq2rvnnjk5obsmxgq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3636cc307af2413f0e2c93898c21f0441c053c2d7d28bff18f677fdc90de1917

AgentTesla

3e355c206a5b82036c07832fd4e7cd823be0a5b71d272de8062c99746033387b

AgentTesla

47f2e01332f2352960848114607310d9bb23caff5a8de7d67f9e2ed7fc6944b9

AgentTesla

bac72d66599569fb9217e714c2da097b12285efe1187515dda1f89ec5b4933b3

AgentTesla

d23fae385c1d1c2e8a92e1b47c13f113c57030d87ded1e63769cf25702f945b9

AgentTesla

d657c278508c896eb401dd575052850c94a77280113f93d60f0e2c4584877e35

AgentTesla

e7e3ae47908170117d256b30126ff8728dc821194b2e0603ad9030dea2617bbe

AgentTesla

eb362970c0081effbcdab7ce1f6c91d6921ff7f6e3e8e411238404f8d0549483

AgentTesla

fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1

AgentTesla

+ 2'126 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210113-3jbe4ndjv6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Unpacked files

SH256 hash:

5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd

MD5 hash:

2e1fcfb191508fc51320313d059bd30d

SHA1 hash:

18254fc83a340ca9562844542425ed7f995bff4a

Link:

https://www.unpac.me/results/2f202d43-4092-45b1-9485-0502125aa5ce/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/111788/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample