MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5efd8831e841f808e66fd310f524425e45e091e04f78d4f76646f5925415231e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5efd8831e841f808e66fd310f524425e45e091e04f78d4f76646f5925415231e
SHA3-384 hash: bcbd3f381899b3c7894eb1baa31e0a0c85aa0734c0a1c70e03682f11409ce992468f59d2ddb5f4838699cca8f22eda88
SHA1 hash: 9646f32a99e2c42a418080bedbc370fbff60fbef
MD5 hash: 9f303a98fd3f9cf0b7ca59a3d2d6c47a
humanhash: fifteen-may-saturn-eight
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:308'224 bytes
First seen:2020-12-17 14:09:12 UTC
Last seen:2020-12-17 17:04:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 412434c6590220a26bbf72c7c07a425b (7 x AgentTesla, 4 x Formbook, 1 x NanoCore)
ssdeep 6144:aHY8Svy/snnNuecAaypocAFHvD08AS9+X0GGVSDDWPNck0+Td/:n8Sq/snNuFL7JvYm+nHuNbLTd/
Threatray 190 similar samples on MalwareBazaar
TLSH B364234D6A604AF0CE341B70153BFF6C09AA6D7303C6D5D289AABD83CC58A40B6F565E
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 14:11:16 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/5a907fbe-ab08-4fcd-96bd-4b5b3091c5d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.55700.723.9276.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565419
Signature
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5efd8831e841f808e66fd310f524425e45e091e04f78d4f76646f5925415231e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 10:28:18 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l36yqmpiih4arztp2mipkjcclzc6bepaj54nj53gi32zevavempa._file
Verdict:
unknown
Similar samples:
086d2a6e11da6e37ab46eb8d75c2eeb3d4aa825001be71e1e109b4578e5a321c
AgentTesla
3809041ce9fcb7f00674e65db2fd63f94373df583d6e3e869943aeb08b34ad28
AgentTesla
4d302b4fd8564f5e3f9b505c0f342ec0e133fca6e5d0c6b3bd89746351561c5b
AgentTesla
680e50ffdfd67d8666b30384252366599e2aa714efc433740f470338647b61af
AgentTesla
7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c
AgentTesla
9634cf79c1254f6eb68967cc89267c50513f9df930c15bdcc77bbd1fa1b5add6
AgentTesla
c54deb9627b2dbaa9a3dac0298baf8417d7379c969ad76cee8450afe5d317dc1
AgentTesla
ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8
AgentTesla
e3be5f2b9bd4b6b4847cabb927de8818ffb29e3544dc667f9962c31c92bd87e7
AgentTesla
ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
AgentTesla
+ 180 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201217-z4h6jnw5na/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
5efd8831e841f808e66fd310f524425e45e091e04f78d4f76646f5925415231e
MD5 hash:
9f303a98fd3f9cf0b7ca59a3d2d6c47a
SHA1 hash:
9646f32a99e2c42a418080bedbc370fbff60fbef
Link:
https://www.unpac.me/results/32ad9e42-3e58-4f49-83ee-2435c64a46d0/
SH256 hash:
1eb880a183abd22fe0c906ba926c6e21d2e15005c758f480e8c093cc2d0b34fc
MD5 hash:
5c877326cdbff9d69b4321995cef7fd6
SHA1 hash:
3fade5c0a4895b666506d45bbb40e67de0197ef8
Link:
https://www.unpac.me/results/32ad9e42-3e58-4f49-83ee-2435c64a46d0/
SH256 hash:
10dfb31020def84ca60fc7566d5bf58e9e541a1f78d436544f5a26dd45c9bf42
MD5 hash:
3c593fead98da6b15495367ea5490c80
SHA1 hash:
c62b059a23b0719c992c96389fc1143db16f146f
Link:
https://www.unpac.me/results/32ad9e42-3e58-4f49-83ee-2435c64a46d0/
SH256 hash:
546f11590124c5a045c526e4aeb3cac9e7412020a9bc56406685bdc5d3e09b58
MD5 hash:
71826d5168ae001fe338d164c3982fe2
SHA1 hash:
5bfad5b58aea2162a28c50c9774b6b5fc245f456
Link:
https://www.unpac.me/results/32ad9e42-3e58-4f49-83ee-2435c64a46d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5efd8831e841f808e66fd310f524425e45e091e04f78d4f76646f5925415231e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 413f6bd701ca75b1cde5d9fcbde7e5d6b5308d0f8e99f4c1835c2f31ee4b2620

AgentTesla

Executable exe 5efd8831e841f808e66fd310f524425e45e091e04f78d4f76646f5925415231e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 413f6bd701ca75b1cde5d9fcbde7e5d6b5308d0f8e99f4c1835c2f31ee4b2620

Comments