MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e01c452698df76b81ed6303b8742ddc13d78fd946b3dbe3a3faccd9ed4768ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e01c452698df76b81ed6303b8742ddc13d78fd946b3dbe3a3faccd9ed4768ff
SHA3-384 hash: 0a0f0ff0fa7bfe6a0f013b7074556169caab90116785c1921bfe2e092ea83f645040d75dd579a1cf67a4788ce13785de
SHA1 hash: 7aea693341c580e92cf21ce022f444f7023dc357
MD5 hash: ee33c83709da5bdbb22609650c8f1c60
humanhash: pluto-delaware-hotel-kilo
File name:Account Setails.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:868'352 bytes
First seen:2021-02-10 14:14:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:EAC0jj58kfYuRG1uy9Akrhm0HVS29kc3Pxv+7bxIMv6nnjqKoe:EA58kfEuIroB2D+pII6nnjqKoe
Threatray 2'556 similar samples on MalwareBazaar
TLSH 0B05BE1336848A98DEBD57F6A226404023F5FCABC724D60D7FD8329A1DF6B924923717
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Account Setails.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 14:18:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7902a626-2c1f-41fb-b692-088be2b4a250

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116571/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604633
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e01c452698df76b81ed6303b8742ddc13d78fd946b3dbe3a3faccd9ed4768ff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 09:59:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lya4iutjrx3wxapnmmb3q5bn3qj5pd6zi2z5xy5d7lgnt3khnd7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
054147573d08967dfe8425a2df8295d8829e4cd839c3a73124bdeeaff2b991f8
AgentTesla
3bed1ace3b8e8797d0df86154ec358ebfd94d011be503b6b35a44e845029fe5e
AgentTesla
6272206fe704645cbed15d5edc47bf4c38e4ba591032e34b3b94d1e63aaa907b
AgentTesla
63a4f89a7edeff9e5e817e8c61e8cff54cc5421bae27c35f343276991a52039b
AgentTesla
7efe00685831006f7656968fd2bd48f6c9af3b20331411f6976d11825052c6a6
AgentTesla
89e63255b023d7cace3937516529e78dc8b23500c42ee58e066895347bf4dfee
AgentTesla
8b389a84ae3cfade9a80c01dd1d3e3b3555581ef4c75a475d04fefe45b36c17a
AgentTesla
ab5dfee27ea37093d09e2e14d1c46f6c6eed2240c73328d53b2372e71f68c365
AgentTesla
cc768b0d5c345d446eacb21922c6561e763015cc6782fdde5a051e1d4fe56acf
AgentTesla
cc918d46ceafe7d60b4679a6a91d763b4d557b10acc87917d173aef865275a19
AgentTesla
+ 2'546 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion ransomware spyware
Link:
https://tria.ge/reports/210210-w71jdrmjve/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
fd9402edad541243193913dab7ee0d258fbe86bb51ff27d7cd8042a3388bc8d7
MD5 hash:
b5f27781efbda333ea8a2e011c283b20
SHA1 hash:
d68e024640c02ffbb27173803d577c9111710aef
Link:
https://www.unpac.me/results/68a5ac81-e779-4abb-adc3-4f4826abd363/
SH256 hash:
55c703c656d5e121512535fddb4cd77aaa3931d8cf6eff70468a825648df4550
MD5 hash:
24fb20431daaa9d37b624aa192828206
SHA1 hash:
baae99a04ea3ba5b98e3fd89588f99352150616a
Link:
https://www.unpac.me/results/68a5ac81-e779-4abb-adc3-4f4826abd363/
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/68a5ac81-e779-4abb-adc3-4f4826abd363/
SH256 hash:
5e01c452698df76b81ed6303b8742ddc13d78fd946b3dbe3a3faccd9ed4768ff
MD5 hash:
ee33c83709da5bdbb22609650c8f1c60
SHA1 hash:
7aea693341c580e92cf21ce022f444f7023dc357
Link:
https://www.unpac.me/results/68a5ac81-e779-4abb-adc3-4f4826abd363/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e01c452698df76b81ed6303b8742ddc13d78fd946b3dbe3a3faccd9ed4768ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/116571/

Comments