MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e422d014bffd18a8f7659d5c7b5940f522778e624afda13f2f09786428ffc49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e422d014bffd18a8f7659d5c7b5940f522778e624afda13f2f09786428ffc49
SHA3-384 hash: 52b0f2472b72d842638b36548d0935c51403f0ce8bdbbe4a51e39dfd486804c0423e13848ba84cfbceca8d885dcf94a3
SHA1 hash: 6b76ef134f268282710143f314b035b48937d50a
MD5 hash: 261576e5f3bc4c59ad2e485aba4b4c63
humanhash: three-nineteen-oven-johnny
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:627'200 bytes
First seen:2020-10-23 09:29:21 UTC
Last seen:2020-10-23 11:22:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:aShk1d0VwpyxhWUJnuU7oY5RaS2Lm8ChfvfR0f4f97RlQs9bIYrbpkXOoV2OYLl2:m0VGy+UonC2LvE+f4F9lzn5yXKCeiP
Threatray 746 similar samples on MalwareBazaar
TLSH 30D4EB3CADD5223796BAD6BAC9F559DBFD52754331126C0E90DB03860A03BA77EC201E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: lifeline.co
Sending IP: 103.125.191.94
From: Ramesh Vkharia<info@lifeline.co>
Subject: Invoice/Parking List
Attachment: INVOICE.exe

AgentTesla SMTP exfil server:
smtp.poongln.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Bulz.150105.26464.4052.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507979
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e422d014bffd18a8f7659d5c7b5940f522778e624afda13f2f09786428ffc49/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 07:55:49 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzbc2akl77iyvd3wlhk4pnmub5jco6hgesx5ue7s6clymqup7req._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
564430d34398ae8a04894b90c02aadfb95fce13a06644aa095f533a73aac4ff9
AgentTesla
5c3e3d39b5a83c245629704b440a8310ed5fe6c99bb559a0f69c0afde00fccce
AgentTesla
5e082ed595236d19176b95e02863e7726e36b98a782ce6f8b893667b90b878bb
AgentTesla
6b6a0a9a882003f1313cc2ad29a0cc12fda5f22ef77e239ce65fca25ae95b058
AgentTesla
6e032f7806e9839c8652495c42ded1cc153c6bf3fe2250dee2cd87132f95892c
AgentTesla
79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5
AgentTesla
ad8aeed2d546163aa0b5cbfb430bc9a02896645be4a51cb654083ce18ab853bb
AgentTesla
b84aa5ba2bf1c040d2f318a7f5ff77ee7e8e98a33c458f32c737106568549879
AgentTesla
be6d4618333f5bca53591236f870ab7d368843e7b32b3333d97a4a72d920559a
AgentTesla
f010bc0295db81514c87fde7298f3425670ae67f4f24a21f20232a10eb644907
AgentTesla
+ 736 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201023-7ebnt9y29a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
5e422d014bffd18a8f7659d5c7b5940f522778e624afda13f2f09786428ffc49
MD5 hash:
261576e5f3bc4c59ad2e485aba4b4c63
SHA1 hash:
6b76ef134f268282710143f314b035b48937d50a
Link:
https://www.unpac.me/results/1ef97c2e-9ab4-4c75-b22a-6fb01ff8cb33/
SH256 hash:
db5e2a824537d5c1ac5324130341a0c316291d8209f11599179ddd1545bbc89c
MD5 hash:
abd7e09834bcffffaa2bafd7102f777a
SHA1 hash:
00b6e9e4b6574eed56d8336d713e04184cd04f3a
Link:
https://www.unpac.me/results/1ef97c2e-9ab4-4c75-b22a-6fb01ff8cb33/
SH256 hash:
2a399712534c79e90a868b859c3f5080a5c17b25ece0a8e47ed5391ef4072153
MD5 hash:
429b0ef7fbb19b6a9d38041b868dbb5a
SHA1 hash:
0b934c610d62080eabf4e2a83aa6a8be4d500267
Link:
https://www.unpac.me/results/1ef97c2e-9ab4-4c75-b22a-6fb01ff8cb33/
SH256 hash:
25616b4a47f4b1bd38f4787c0ef0ceaa9cafb35767cbe57d85f2cc5d47e418ca
MD5 hash:
1b599da3b695c19419e486d9a011ab7b
SHA1 hash:
d2a35a245b19c7a3083be2dbfd8d10362255dd6b
Link:
https://www.unpac.me/results/1ef97c2e-9ab4-4c75-b22a-6fb01ff8cb33/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5e422d014bffd18a8f7659d5c7b5940f522778e624afda13f2f09786428ffc49

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments