MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e7c160d68832c6b823474419cb0c54b79b57964e997eced8c175fa453def2e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e7c160d68832c6b823474419cb0c54b79b57964e997eced8c175fa453def2e3
SHA3-384 hash: 2ac854a1df6660d176ea9e92a3782c78da212a5d33e6dade766ffda245db63bbc02d6748e1ef51836e176bb491edb067
SHA1 hash: 11b2b064be5a5e2971a24baae3ec6bf6082fec79
MD5 hash: 00eaacfc4c7d1d1bef21c3e3577c712c
humanhash: muppet-carolina-pennsylvania-yankee
File name:VOP E 12A No. 18 SEV 12 09.08.21.xlsx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:506'880 bytes
First seen:2021-08-09 11:27:22 UTC
Last seen:2021-08-09 13:06:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:wFmVYVqITth8UetA8aI8RU0c0QGpXXtKfnVS2M3F7XEmiO+gs3FS59IyKpUuFR:6FF8UetA3u0QGtXQlMXEmiOxCEDuR
Threatray 8'092 similar samples on MalwareBazaar
TLSH T16BB402296629CC57C2B657F806E7E01071B66E06297BC306A6FEF97CE7F27811D81384
dhash icon 30f0e0f0f0e0e030 (1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VOP E 12A No. 18 SEV 12 09.08.21.xlsx.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-09 11:28:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/afc5b767-ec42-40c8-8a9e-509fefc6b5c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177526/
Detection(s):
SecuriteInfo.com.UDS.Trojan-PSW.MSIL.Agensla.gen.20873.10259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ffa54cf-c5b9-4415-b0e3-9a85bdaf6a94
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829242
Signature
.NET source code contains potential unpacker
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e7c160d68832c6b823474419cb0c54b79b57964e997eced8c175fa453def2e3/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 11:18:55 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lz6bmdliqmwgxaruorazzmgfjn43k6le5gl6z3mmc5p2iu666lrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
AgentTesla
1999b409b4fdabafe9343b5a7d3f4ac0a019fe8f1f5d7ca3caf9fbe051c01ca8
AgentTesla
365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2
AgentTesla
36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10
AgentTesla
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
AgentTesla
a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55
AgentTesla
e19c08f599af43e73bb73b7183ce1b8a1e6712640d185d6f29ae0cf165bdfef5
AgentTesla
f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90
AgentTesla
+ 8'082 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210809-clg54xar22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
8fc2067ca35742d405bfb706139bef331dc9ff63cd8ffcf0dd55e66f7d53f107
MD5 hash:
22a34aa3e3e17d099fba9f0aa71b5ee8
SHA1 hash:
9c8025b7387690ebafe0b5a0d412e2d73ac8fb5e
Link:
https://www.unpac.me/results/22e10307-289d-4411-a3a9-0473498e91de/
SH256 hash:
c74940d9d21799d9a92eb2efe76b125a25e65c479385c8ed813e869bf67f7c1a
MD5 hash:
d793667a38bdd6a6886f6b2d45fa22dc
SHA1 hash:
7e4cba7892bca941b85119cbaa921880d2ccd244
Link:
https://www.unpac.me/results/22e10307-289d-4411-a3a9-0473498e91de/
SH256 hash:
eee609fd474474c9b2fa5e377ac07ba1f83415f79071285fd36c8ce12c5f19ca
MD5 hash:
4abe5471705ee16443557e1fac51f8ac
SHA1 hash:
0bfc326345f82c51eec584f1c3f8cdc41d705731
Link:
https://www.unpac.me/results/22e10307-289d-4411-a3a9-0473498e91de/
Parent samples :
6067817a353dc37fdc604639a53a627306c6c2c182b5c1976e14d33fa6375de3
a56f5f192556bdb3fd7af7a7d03750cbb4473b14ecde429a39a1b80ab6c6ab67
SH256 hash:
5e7c160d68832c6b823474419cb0c54b79b57964e997eced8c175fa453def2e3
MD5 hash:
00eaacfc4c7d1d1bef21c3e3577c712c
SHA1 hash:
11b2b064be5a5e2971a24baae3ec6bf6082fec79
Link:
https://www.unpac.me/results/22e10307-289d-4411-a3a9-0473498e91de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e7c160d68832c6b823474419cb0c54b79b57964e997eced8c175fa453def2e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5e7c160d68832c6b823474419cb0c54b79b57964e997eced8c175fa453def2e3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177526/

Comments