MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776
SHA3-384 hash: e93b6f4e20e88a0512716bcf1247515eb391ec43bbc25a5ad8ba848f6c9900e2fbd1fccd02042298fddf90eb005f81ee
SHA1 hash: 0abd85cf837ea03eca4ec02d22c8c61acefbfe3d
MD5 hash: 0d6349f95596d8a1a68fae2b04bd40b6
humanhash: august-hydrogen-fillet-mobile
File name:purchase order for the month of Mathch 03012023.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:908'546 bytes
First seen:2023-03-01 07:52:31 UTC
Last seen:2023-03-01 09:28:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 24576:oYzoGBsmEL6EaDu4pU19VVh9DnGBoYT8R:5DBA8u4puhGOR
Threatray 3'456 similar samples on MalwareBazaar
TLSH T1BC152358BE10D8DAE42147308579D0795E392C323C2666EB77A9B7DF3A30151FB0E7A2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9c9af8ccd4c46471 (2 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
purchase order for the month of Mathch 03012023.exe
Verdict:
Malicious activity
Analysis date:
2023-03-01 07:54:23 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/61d32f2e-76d5-4d69-92f0-cbe0096803bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370754/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.11377.24979.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63ff045ebfec0852a68e1846/reports/f615d58a-7cc5-486e-9de6-915126501174/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5530e80-0a7d-4a07-8357-0a11814ed034
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1184710
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 07:53:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l35xuiklio6epvifbeobncww54yha2twgkuywcaemcevqro6253a._file
Verdict:
unknown
Similar samples:
0b27deefbf362687701891f8fcbacf4122ce0a6e4972bc7b68cc8f3e7034b1eb
AgentTesla
0bd6d3905b8463f23246c3b7953239277f0ffbf0096367ca02dce1cc38cc4e27
AgentTesla
29032ae14e315863a55a0851c3e1c9cb246beb4513a279d8b1bf7fac97be6ff7
AgentTesla
82d448cb2461440d0ab1777690a41e228118c36961d8ee506ce94a9622b8af5d
AgentTesla
8eaffa403a0bacae0e43928c07f77ea8540b480eda49e10d4a44079b8e0236fe
AgentTesla
8f81fd0cd66548518e82ab4238cf83a55989de7b1ab9099ef43892d0272b41e5
AgentTesla
9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40
AgentTesla
dd1ed5209c967dd24b1a861d3eb959a0d52a3ed54a9e0e39685ec5269760f91a
AgentTesla
e60da850d4cf946edd8afe4a6f93953565b55b0f3323357e5136b17b8aaf8c5d
AgentTesla
eda76d518118e4843804277202fb22ac8239f7231775f411d0b36c2980919786
AgentTesla
+ 3'446 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230301-jrjpqaeh2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e4aaf19ab58a9336085234c8064d42ab2506305d80a8738656f2f63b1b6e395b
MD5 hash:
53bafceb44f66074283ebee1a297eba9
SHA1 hash:
aa429c19fb377151b239f7db5f670aadc027ae1f
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/be2871e8-15e9-4f97-9661-3865aca72a94/
Parent samples :
c7cc9b494022ce3e0e73f9da5a6e8c1ba4541b012c0b73be4bb4a10b2eb4c801
c0d0fe7c94e5eea8895b8b3d1a82cf8030883e1e3a5404966761d08a29063d89
c496880015b8aca953669bbfefd71f7c777370e3c12b042d6556f3e8c96d886c
8fd45841fb13a3559678bffcc6aa5d583c9d38918a5657aa8fa0337821adb237
571b5a5b56217afed525b3602ef2b894650c6c419fc18e70bfe74e2973e207f2
c7859e38dac67d93a0be63264364683ce6fd6b22f9145fdf7f45294458cae5a0
31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246
67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11
5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776
SH256 hash:
628c4c641e15c9ea9ead14b9ca64c42abc3667d7dc15240a42ccee612f3b6509
MD5 hash:
53bc3da5bbc3483f973f4af8e7798676
SHA1 hash:
406ffcad2d5759d7406b4639dfb7e69e3c86012d
Link:
https://www.unpac.me/results/be2871e8-15e9-4f97-9661-3865aca72a94/
SH256 hash:
16e60fe24d1b107a1136f953cbba8e55d3ceb1ed2bd8cf7226fc2c87d11e3e2a
MD5 hash:
9f7cff5bb973dc74208baeae5c3b3b9a
SHA1 hash:
c3d5394f2c60ee71da22cb3f347e1688d8d79231
Link:
https://www.unpac.me/results/be2871e8-15e9-4f97-9661-3865aca72a94/
SH256 hash:
5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776
MD5 hash:
0d6349f95596d8a1a68fae2b04bd40b6
SHA1 hash:
0abd85cf837ea03eca4ec02d22c8c61acefbfe3d
Link:
https://www.unpac.me/results/be2871e8-15e9-4f97-9661-3865aca72a94/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5efb7a214b43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/370754/

Comments