MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e2b50ea71dab4a9890936aa161e9063c33aa43088bc88ed55707b6684aa0f46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e2b50ea71dab4a9890936aa161e9063c33aa43088bc88ed55707b6684aa0f46
SHA3-384 hash: 9b6579a9675736ccbc41c79b1e73e03df15d7e78ff71c41f94b9dda741cc7b1b8815364b22af01d368419642630ae28f
SHA1 hash: 960900a23f1a2cf847d2071eacce2b9787836f98
MD5 hash: f99a9c2f1936cb8b42a196ebe3473a52
humanhash: lima-uniform-eighteen-hotel
File name:order information.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:728'064 bytes
First seen:2020-08-11 13:18:49 UTC
Last seen:2020-08-11 14:21:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:zqGwgHvXIz7vdAWArnylmYry/eqspnp+:zjdHvXIz7vPSypUs+
Threatray 10'616 similar samples on MalwareBazaar
TLSH 43F4192976C5750AD43D063644B9ABD0B371B6C73B12C70F6ACA1B9C9F036CB3B4619A
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43418/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.2342.20333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/418977
Signature
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e2b50ea71dab4a9890936aa161e9063c33aa43088bc88ed55707b6684aa0f46/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 13:18:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyvvb2tr3k2ktcijg2vbmhuqmpbtvjbqrc6ir3kvob5wnbfkb5da._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ca8c0c5ebf25e694725d965acf1d3db4a299c633fd895ea6f2dab80082d7337
AgentTesla
0e928609807c597f7046341f0a335738ae8efa905be3c51de1f47d3c5ffb1996
AgentTesla
1328e0030337b326a962b3369cc8dd2b474de98267e8e9fdc3684f4e5ecb9984
AgentTesla
4c1a433244a83a823b97c4739c5ef1d79f078f0072d580046e295e6c0271f464
AgentTesla
5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7
AgentTesla
6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6
AgentTesla
7dc693a09183412e6567e278cad02a34b8d4779ba93fddf8c34b1daaf78400e1
AgentTesla
975bd764510169b28cbde394746ed4c26b05ce0465c2184873d5e1c6e14bfae8
AgentTesla
a9103ccf2939a9a9b54d8c50aa993af6fcf3ddda4e0491f1987fe09a83f98ab3
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
+ 10'606 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200811-xmafmbrbqx/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e2b50ea71dab4a9890936aa161e9063c33aa43088bc88ed55707b6684aa0f46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/43418/

Comments