MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47
SHA3-384 hash: 98e0964d869c525ea6f81eb3360fa3b11ade707f2653854996450d4a40423784060acb29cefde351127f58bab0aff630
SHA1 hash: 261d4b931d996e9f56b284d740c8a041d19b773c
MD5 hash: 271ae9ad458359954927dce3b95c3ae5
humanhash: paris-social-lactose-autumn
File name:271ae9ad458359954927dce3b95c3ae5.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:556'544 bytes
First seen:2021-03-11 07:56:13 UTC
Last seen:2021-03-11 10:46:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:QhZi9706axwzT/otbnmMwCvLfuaKqzUMSr2eG:QhZwaxGMaMnvTua/IT
Threatray 3'177 similar samples on MalwareBazaar
TLSH FFC402602FF8AF5AD2547FF90AB3911C63BD82D6D810D309CEA42DCD6A29FC40E80597
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
189b37d77c00cc2f6dacecc01592158ca4c1d0165ba6cdff063ff14e2c3a283a
Verdict:
Malicious activity
Analysis date:
2021-03-11 04:21:40 UTC
Tags:
opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/3598e019-a76d-4d86-8004-2ac96cd0dbb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123747/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.8601.10034.20630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/636567
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 06:33:11 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyqyvc3m6mnforuljfkmqg4mipjxpwkcr3n6p6mh3xonuptvlzdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22c6a5976ce7b78c9fc9be80c53945344670b5df128629f0d1e99d48b2e65121
AgentTesla
492a4a339324e1bb41f6d4d74b43c8bd886fed3f808532e599a49a3f220d1878
AgentTesla
4ee357dd7681ca5f80acaeb7d55df4432de5d370c73e6bb887e3461b6ed537f8
AgentTesla
63fe4414329ce0fa71954c9d1a65a74d49457844fb1043b104f4cd64c832f84b
AgentTesla
6ed53f6643dcd36904ac60d32e8f0966d71bc8445d5295cb0414b7229f1864df
AgentTesla
72da1e5fdfc57c07501ab49085450aac225737f4eafd1a9a2a2d2ce46f615b19
AgentTesla
8d7fd2ba003d57a91242d901b189d42420b658a0b1cb5e9d9849d7816f3604ab
AgentTesla
a03e120f219832ce89401ddfe77837c3710b505e5480842bf298704b3cc38085
AgentTesla
dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2
AgentTesla
eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06
AgentTesla
+ 3'167 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210311-e1adrqywbx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
da78bb949c936c5cf5835cd7a6fa22f6b568c446c9b79cda3bdb0ccc8e059d59
MD5 hash:
0c0de12b63de8c45ffcb5982949589d5
SHA1 hash:
76de6a8b3754c064a7457c4158b993e46b337259
Link:
https://www.unpac.me/results/3fcabed8-c8f2-4c54-b983-43a6296b50ad/
SH256 hash:
1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc
MD5 hash:
8f85df46a482b5b068ae7667bf1a33d6
SHA1 hash:
a210d369311aa4d709dc962c634174738576907e
Link:
https://www.unpac.me/results/3fcabed8-c8f2-4c54-b983-43a6296b50ad/
SH256 hash:
5463806bf1548e321b13895726f740269d238c506445dfb471a6eac48981b42f
MD5 hash:
47e7b3432e9778e07e27c964599b3ba2
SHA1 hash:
fea50e02671e664d1dc4b1aa418d834cb1e4a208
Link:
https://www.unpac.me/results/3fcabed8-c8f2-4c54-b983-43a6296b50ad/
SH256 hash:
5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47
MD5 hash:
271ae9ad458359954927dce3b95c3ae5
SHA1 hash:
261d4b931d996e9f56b284d740c8a041d19b773c
Link:
https://www.unpac.me/results/3fcabed8-c8f2-4c54-b983-43a6296b50ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1060797/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123747/

Comments