MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27
SHA3-384 hash: 0384d8aaf380d1b835ce415b0bbf76257725e002e9bbd5d3674f0e960b6adb97cabe7ed3729fc4c105f72df5501cfdd8
SHA1 hash: 0c5aac18919271414c794ead551809844276beb8
MD5 hash: efc1b8e9f7c1d679f1f4697ab72b658d
humanhash: illinois-early-mississippi-eighteen
File name:signed_19272.zip(~18 KB) (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:733'184 bytes
First seen:2020-11-26 06:47:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Cb4JO38L2iNK7C8RcL9bKirJJOk8eNHfHLoXCt8LFxP7r9r/+ppppppppppppppZ:Cb4JO38L1A7C8axrCAToXO8r1q
Threatray 1'513 similar samples on MalwareBazaar
TLSH 39F49DB1E4856A90DE19AB71AA32CD301E233DBFA934D41C29DD3D6B3BBB7935015423
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: MANAGEMENT <javaid@cyber.net.pk>
Subject: RE:Signed_document for urgent_shipment..
Attachment: signed_19272.zip~18 KB 2.zip (contains "signed_19272.zip(~18 KB) (2).exe")

AgentTesla SMTP exfil server:
mail.alsayyadi.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547790
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 06:48:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5apb22zh4bafsf7ip7omuqbjguvdtwsnquzxn6nz22chz2cfitq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2afd51643d6941bd1cb12c0a3b998315bb72d2fd0b1f8f0ca557007e090e87b0
AgentTesla
46022bb61b093ea357f809fac3519b84e9e1dc78543d9516d5fff4d9ecb8c77e
AgentTesla
6259d84615827c7f100cc69ea82035986f7d2011c9b1ea9de78c88e261af668e
AgentTesla
6e070df16a98956dd19b7313c542a8462704f95b8aeca246625d3a2cda152ba6
AgentTesla
7b7fd4955b651b7279580f7f52d30b7539becf0a637257ee53abeb7dcd03e3e8
AgentTesla
a4cbe2fef2108f52a5f1bde9893f60faabc1042137bf40229dcf54598e608c3b
AgentTesla
bacbd1e1b139791f7ca8eeba6a14cf7b34c9c010aca5ce7eb527aea212448868
AgentTesla
c00a516a6bdcb2118625e8156904192e491dba809a8088ce8b6da29eac55d41e
AgentTesla
c822aa53c6e49a7aa3e32869936583cd7308a414974d76b9bdd196908befbc16
AgentTesla
df961abf980841097fcebf95b14f05e1192635cb6e379d0c58c3ec307f732f3f
AgentTesla
+ 1'503 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201126-yqqgtvymje/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/06062ad7-fb71-43e1-bfa8-33cc69388591/
SH256 hash:
0d7b611efce6b99adcdb7aee69309cbfb1ae9b7c87e1264bd21e97c64e96bf4f
MD5 hash:
39f1d7891da46ab48e32bc90437ab9bc
SHA1 hash:
aeb87081387efe51a4b77f55e53fd54def6a35df
Link:
https://www.unpac.me/results/06062ad7-fb71-43e1-bfa8-33cc69388591/
SH256 hash:
655cab48e011d2f0d2eddaf1c9510484e7ab437c5e8d67fed22902f55d81927f
MD5 hash:
70ce0419d20a14afee863d1e3db56378
SHA1 hash:
c2262538258c8d576a2b2a86206a78d3fd26c83a
Link:
https://www.unpac.me/results/06062ad7-fb71-43e1-bfa8-33cc69388591/
SH256 hash:
5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27
MD5 hash:
efc1b8e9f7c1d679f1f4697ab72b658d
SHA1 hash:
0c5aac18919271414c794ead551809844276beb8
Link:
https://www.unpac.me/results/06062ad7-fb71-43e1-bfa8-33cc69388591/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8d119803d01cdec1adc2cb62bba969c44313c0f16a740c9d2405b85cc0289d53

AgentTesla

Executable exe 5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27

(this sample)

  
Dropped by
MD5 11dbaeaa5887d41e0445211291226bbb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8d119803d01cdec1adc2cb62bba969c44313c0f16a740c9d2405b85cc0289d53
Cape
Cape
https://www.capesandbox.com/analysis/105599/

Comments