MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dfddf368f0f0406128d3138f485cd1da0a69bebe4e3ffafabf2410463e03ee9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	5dfddf368f0f0406128d3138f485cd1da0a69bebe4e3ffafabf2410463e03ee9
SHA3-384 hash:	158adebcdb2fcb7029845010364756828d58ea7a0ef183aabc1fe4a273e1c17e7fc588fb2e30bc204558e4bb018bdfc2
SHA1 hash:	602861949ff058156e4b1326cc64b51f867620a1
MD5 hash:	5c3484144891addfc1cc8349bfdc2d2a
humanhash:	snake-earth-carolina-fix
File name:	Business Registration Cert. 13rd VN ver..exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	973'824 bytes
First seen:	2020-10-26 14:33:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:ZdtbTTVYhWLSLvxCJ5HFwhjJpbfTCZQ5xdBa:Z5
Threatray	185 similar samples on MalwareBazaar
TLSH	B9251E3CAE9525E3A273E676A0F60587FEE8618673785D4B02C327482D4AF123D9734D
Reporter	abuse_ch
Tags:	AgentTesla exe Telegram

abuse_ch

Malspam distributing AgentTesla:

HELO: hanmail.net
Sending IP: 204.16.247.147
From: Lam.Ntt<lam-ntt@hanmail.net>
Subject: (CHINA) Vendor Registration sheet
Attachment: Business Registration Cert. 13rd VN ver..IMG.iso (contains "Business Registration Cert. 13rd VN ver..exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/79182/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/511981

Signature

.NET source code contains very large strings

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5dfddf368f0f0406128d3138f485cd1da0a69bebe4e3ffafabf2410463e03ee9/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2020-10-26 06:04:10 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lx656nupb4cameunge4pjbondwqkng7l4tr77l5l6jaqiy7ah3uq._file

Verdict:

unknown

Similar samples:

015da4d338b5ccb6a5ae37b29a30bdd80445280746011616535a26c60b4be0bb

0fb431964ede898512c981a18eb6a12bf7304c8a858bb61a0ca4280bfdbe6898

1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769

40e91b54dfb08b396759074f6018c28433f771a9c6c66ff5b1789d786c591c87

5daec184f65eb553c31e17f10af8a2143dd65c52b61a95ca364b1c725f5ab84a

7fb6e9a788b18806469167cf64458dd590122593a04489cf70bb70434905a246

a77e9393c4000e96d483a677574a78f004e87837013f7bd1414567d436014b6e

aa629febbaa577cc72e7a001df96a0afc08094ea57493bbc77857d9996cd3019

cfa043d2f0aaec78a984700f442b041a62f06e569813c105a98765a9a0375f58

f089cbd6d20afda4f1e00ed09abd44c9f271c8db61bbb1ce07048fadda34b1ec

+ 175 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201026-mmap2tvqne/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 0ba34a235311a9b43447213da48a1945be01bff6a2998a4360e50d4292053e6d

exe 5dfddf368f0f0406128d3138f485cd1da0a69bebe4e3ffafabf2410463e03ee9

(this sample)

Dropped by

MD5 1076d93181a2c5d48c473aee311ccc16

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 0ba34a235311a9b43447213da48a1945be01bff6a2998a4360e50d4292053e6d

Cape

Cape

https://www.capesandbox.com/analysis/79182/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample