MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e9f2794e4c145fbd68caacb0ddf07d1d35fc9b8b748b2efd1b4063e489f8223. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e9f2794e4c145fbd68caacb0ddf07d1d35fc9b8b748b2efd1b4063e489f8223
SHA3-384 hash: 76c6d215c7228af726d9494bbccc672adf77827251034113dd88eb1d43abc71a92c66f196222d8eab9d5d1ce1b0bdcbf
SHA1 hash: 5be89fd0488636b47ab07a28b8bd41f15c0c7e41
MD5 hash: 0d5ecb5c496e7399e221a8de306c659c
humanhash: utah-enemy-hotel-comet
File name:RFQ20230822_Commercial list.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:345'984 bytes
First seen:2023-08-22 10:19:11 UTC
Last seen:2023-08-23 07:17:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:aQ606xiI86ZqqEWdy34g5xKQcMI32bzybK5EQ/l3TZfwlNWUvili+2EMKedJD6Sz:5I8eqqESvSxdHbIKKu/GOi+evT
Threatray 5'562 similar samples on MalwareBazaar
TLSH T1E374125341A0D867C4F60D32A9FA727BCB76D76AF4D35B830B90A8493DB83C9560E9C1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f1c0c68e8c98fc70 (3 x GuLoader, 3 x AgentTesla)
Reporter TeamDreier
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-15T01:52:26Z
Valid to:2026-02-14T01:52:26Z
Serial number: 4f5a245de1a7aba8d49740c83e6630f8466cffba
Thumbprint Algorithm:SHA256
Thumbprint: ee2fbe9ac30a45cbfe590f6f1fe62879f155261679527a05b107aec50fe16226
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
354
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ20230822_Commercial list.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-22 10:22:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fbeec5c-7b8a-4786-bedd-fb45960dfa9c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444131/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.2110.31546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108285/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5e9f2794e4c145fbd68caacb0ddf07d1d35fc9b8b748b2efd1b4063e489f8223
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f34e603f-7d19-445d-b74b-f5564d22739c
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1295074
Signature
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e9f2794e4c145fbd68caacb0ddf07d1d35fc9b8b748b2efd1b4063e489f8223/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 02:53:41 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2pspfheyfc7xvumvlfq3xyh2hjv7snyw5elf36rwqdd4se7qirq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
0432b62b226056b540dea3ec016a862521c3191da87f99ad5a02a1f633f9b947
AgentTesla
05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2
AgentTesla
0e2e9a7a5d6597e2d6e890b3dabd32d067c4e63cbaaf0428cefca2ca8822aa94
AgentTesla
3520f6322123eacd232b1dd107d892e852aa8cfa79eaf4fc3fb9c5b23893c948
AgentTesla
485b45513f839ff3c972cbd2434273388b87c070c8c6125a8462aeabe2fb96d5
AgentTesla
4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
AgentTesla
68d7bd6dc7ce2ada6af865682185e9f2c33c897ec3191f0d6127d3654e69b4a1
AgentTesla
920d519caed6fad76c8205ab38d984baccfd97405b1ca5ada793cc50140183ca
AgentTesla
cf1eb9b3d862c9f561c215d3c9c49795fd822b4022e325368963376014fce4e3
AgentTesla
e2a4e3661a1ba5c88dbfcb792f0d489b37f14f74f2d1b2111a278bc81fb930c7
AgentTesla
+ 5'552 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230822-mc3qtsbf68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/d2b7d739-ca01-44e1-8409-c88388480a74/
SH256 hash:
5e9f2794e4c145fbd68caacb0ddf07d1d35fc9b8b748b2efd1b4063e489f8223
MD5 hash:
0d5ecb5c496e7399e221a8de306c659c
SHA1 hash:
5be89fd0488636b47ab07a28b8bd41f15c0c7e41
Link:
https://www.unpac.me/results/d2b7d739-ca01-44e1-8409-c88388480a74/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e9f2794e4c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5e9f2794e4c145fbd68caacb0ddf07d1d35fc9b8b748b2efd1b4063e489f8223

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5e9f2794e4c145fbd68caacb0ddf07d1d35fc9b8b748b2efd1b4063e489f8223

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/444131/

Comments