MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e58173d37084f62fe59bf6859dea01e244325b7ff0a4acaa7395a58a36efc9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	5e58173d37084f62fe59bf6859dea01e244325b7ff0a4acaa7395a58a36efc9a
SHA3-384 hash:	0c7d7cd524a8563ef0fa14f225d37a989c65ef664302ceab4af659a3dbd6ad58d8a248c5e907ea9a013db9a7cbbb8cf3
SHA1 hash:	49da80ff14c9120edc8856bebaedb21e1d3d5fe1
MD5 hash:	6e2dabd73940083f26778b9b96fca998
humanhash:	emma-floor-magnesium-earth
File name:	PO #367459.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	726'528 bytes
First seen:	2021-04-07 05:04:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:zVT2iNWaq67KaJZ07hUkSXzr6dJ5bHNC/v2sKnUZEQcELjF54SE8cbBhLNulx:zVT15Jxk7hMDr6dJFtCWsQ0E
Threatray	4'760 similar samples on MalwareBazaar
TLSH	97F4CEAC3340B4DEC857C972CA942C65A621F1FA671BC7538017129CAA1DA8FDFD49F2
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO #367459.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-04-07 05:10:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5030950c-fca9-461e-a703-8a816e1f3594

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/132724/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/668192

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5e58173d37084f62fe59bf6859dea01e244325b7ff0a4acaa7395a58a36efc9a/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2021-04-07 02:02:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 48 (39.58%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lzmbopjxbbhwf7szx5uftxvadysegjnx74fevsvhhfnfri3o7sna._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2372eaddae0b9ff47b6cc45c9ac7a5c508c3cf6fb4ecf858d953b287692385b8

AgentTesla

3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf

AgentTesla

782e217ec684944693a03a56d29675c879b31fb570c5f9956552ba5968295463

AgentTesla

8434177ad88b9dae32c1af3253dd5cbda0bfa994d3bb6fcdda659679ae822228

AgentTesla

8f1200247d085dbec4f07076dc216b2ebf4a3c85c2aabf6594ac42e3c3f88753

AgentTesla

9e33ca4eee3b2499f384dcfd926f97675258157bbdbeaa5c6720abc746c77d2c

AgentTesla

ccadb83ba60ee8071cc3a4dd12d7169c78a8bd17aef30865101640b3cd73cc34

AgentTesla

d52fe7af7f5d3a031f670ada720d9d1f9d451a096ce46862e589fb30af397cee

AgentTesla

dfcc5df6ea28e158b19b5168275bd140720d5cd73e3df9dab5ecb513255d21f0

AgentTesla

+ 4'750 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210407-aarlzvrclx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

0e74e3d2563047f4a25e84e53043fa93293eac276573e1702f9324db11a6e05e

MD5 hash:

768b249abce2fa634748d5d0d5819c1c

SHA1 hash:

a203e96d2ac46765fccbb421ac6f4a3e8a267553

Link:

https://www.unpac.me/results/7b5e9b60-d3b6-45d4-ade2-e49d70f64d09/

SH256 hash:

69cba8a76d016591682d0070ba42ab11c9a8d3fb0005aa5bae028df71e1a5b7b

MD5 hash:

25bd2e73971859649dfbed6f31b41bb2

SHA1 hash:

41bb424b4bdcf0fe90ac151016420851144a3367

Link:

https://www.unpac.me/results/7b5e9b60-d3b6-45d4-ade2-e49d70f64d09/

SH256 hash:

74cca20da4b4e8148e6e6e4ac37bb0153b66269cc9ae36f20d66912b6f48971f

MD5 hash:

f0bc250277117da5fb7e6ee2e8fa766c

SHA1 hash:

3c14684654474189c4f9b338556e732a9b31bea7

Link:

https://www.unpac.me/results/7b5e9b60-d3b6-45d4-ade2-e49d70f64d09/

SH256 hash:

5e58173d37084f62fe59bf6859dea01e244325b7ff0a4acaa7395a58a36efc9a

MD5 hash:

6e2dabd73940083f26778b9b96fca998

SHA1 hash:

49da80ff14c9120edc8856bebaedb21e1d3d5fe1

Link:

https://www.unpac.me/results/7b5e9b60-d3b6-45d4-ade2-e49d70f64d09/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5e58173d37084f62fe59bf6859dea01e244325b7ff0a4acaa7395a58a36efc9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 2bb77f6842577ebb19eafc91bdbb4c8ca47f8821171621ec674584f86c59fb0f

AgentTesla

exe 5e58173d37084f62fe59bf6859dea01e244325b7ff0a4acaa7395a58a36efc9a

(this sample)

Delivery method

Other

Dropped by

SHA256 2bb77f6842577ebb19eafc91bdbb4c8ca47f8821171621ec674584f86c59fb0f

Cape

https://www.capesandbox.com/analysis/132724/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample