MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f10bf5a244a6103ba9ce1193f9ec62af6e2656ee3a69fbcccb3afc707a31616. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments 1

SHA256 hash:	5f10bf5a244a6103ba9ce1193f9ec62af6e2656ee3a69fbcccb3afc707a31616
SHA3-384 hash:	f355896217e5a2a89882e9cac7940b5a6dcc6afa3d443353e30a0508b46fdba71951d96cdc7f4d8e07810fdd3f629e2c
SHA1 hash:	6dd595b26537b439f17fc2106a556763a63e68d1
MD5 hash:	810848510f200d7315f3cf8ff9581b20
humanhash:	oranges-moon-lima-princess
File name:	810848510f200d7315f3cf8ff9581b20
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	586'752 bytes
First seen:	2022-01-15 10:02:18 UTC
Last seen:	2022-01-15 11:49:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:KK777777777777N7jPdorkJKu7muBs/ChQnVPAaBP39xE3:KK777777777777ljVorkMiB/hePAy39x
Threatray	13'962 similar samples on MalwareBazaar
TLSH	T143C4F18F7759A732CEE05E78085184504B68AC9F6612C2063CFCFEAE71B3385554E79B
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

224

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pending SOA.xlsx

Verdict:

Malicious activity

Analysis date:

2022-01-15 09:01:30 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/9c9d8a98-e19f-4598-96b1-efbc4a2ca84e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/219497/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop19.25374.17671.24375.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/61e29bdee997359713f1b3f5/reports/62293a23-8538-4336-854a-783a997837fa/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c45bd85b-d624-4c0a-9b0f-f686fde3b006

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/921135

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicius Add Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f10bf5a244a6103ba9ce1193f9ec62af6e2656ee3a69fbcccb3afc707a31616/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-14 23:06:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 43 (67.44%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

268de2ab05c9f844c97325e9330ba981bfb92f86a2a9f5c7a2691bb71614d84a

AgentTesla

26ecc2fcee3b45b75f897db162661edf0175056b9d186b8bd0f2a0142b149211

AgentTesla

3cbf94c22af49ad9be152750428263c826c9b020036a0321f10f9fe2eed6ae52

AgentTesla

5bde6250149c3899c1153daf195112c616599858a9f0db65686bf243844bc09b

AgentTesla

77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3

AgentTesla

7e1b687eacd72adc96e81f6174801c15e9ed15877c278fda3d60ae35763767fd

AgentTesla

ccd3b1025026f005eab390a02815e3689f879ea7ad985f5aa760b208d4f27318

AgentTesla

+ 13'952 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220115-l3eagsdgc3/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

edcd13bc4003a967031ae46483270b90d39aac88e837c8735cc7a09acb252963

MD5 hash:

920b9be9fc08938e54b905dadf37bd34

SHA1 hash:

ab09c4c82b4506ce005f25217ba633fd8623d284

Link:

https://www.unpac.me/results/7f23c43c-3b3a-4c53-9389-6972b6ae1fd0/

SH256 hash:

6d6255e43f8c15ac35d75832b1b8ac911010720326488ca424eee3e0566817c6

MD5 hash:

6fbeffefb041ca0248c2873f8f170127

SHA1 hash:

dc99780c9888bd4855c7fb8c75e95921ecd6a96a

Link:

https://www.unpac.me/results/7f23c43c-3b3a-4c53-9389-6972b6ae1fd0/

SH256 hash:

be876a168f64f5f61684d045a12cb5883ed3b4903b98dcb1982009dcfeafec65

MD5 hash:

c6ddfbacc24b02fc554d7d460cf16e3a

SHA1 hash:

f579733fd07a9f428deca8f9244ef6a82a49147d

Link:

https://www.unpac.me/results/7f23c43c-3b3a-4c53-9389-6972b6ae1fd0/

SH256 hash:

5f10bf5a244a6103ba9ce1193f9ec62af6e2656ee3a69fbcccb3afc707a31616

MD5 hash:

810848510f200d7315f3cf8ff9581b20

SHA1 hash:

6dd595b26537b439f17fc2106a556763a63e68d1

Link:

https://www.unpac.me/results/7f23c43c-3b3a-4c53-9389-6972b6ae1fd0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f10bf5a244a6103ba9ce1193f9ec62af6e2656ee3a69fbcccb3afc707a31616

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.