MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f513e933988ba3b2b38b1a15589a3d0246f2b7c046114fffa0ccf2b7fb4282b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f513e933988ba3b2b38b1a15589a3d0246f2b7c046114fffa0ccf2b7fb4282b
SHA3-384 hash: 6589260619123fccd7ef623823249092a619fe1e420af2b1ee97abe2843fe432aea4754f6aa26bc68206f21ae5daa1a8
SHA1 hash: 87d2ce927b616d63470081fc5fe154efcfa8aa03
MD5 hash: 1090413a7a7d4443482295471d7b6e7a
humanhash: moon-paris-montana-ten
File name:SecuriteInfo.com.W32.AIDetectNet.01.27397.24072
Download: download sample
Signature AgentTesla
Create hunting rule
File size:710'656 bytes
First seen:2022-08-01 04:44:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:zEg6SKlpxoYgYGR2+XuO9csCTsi7oBC1Dr8l8DCtmTAo0I:KLlpxoYgYE8ycsEPDMNDI
Threatray 20'457 similar samples on MalwareBazaar
TLSH T1AAE41294B28D8617E9760FFAF60061208B79AD7F6065F20589D83CFB5972B5B4B00F87
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7964c60935666967 (3 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295453/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.27397.24072.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e75aa20d534e60816c274d/reports/5894d4dc-1076-4166-99e4-21c77f8cdb5b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56a8e0ca-13c3-417c-b0d6-f7128298b169
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043953
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676447 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AgentTesla 2->39 41 5 other signatures 2->41 6 bgnFA.exe 3 2->6         started        9 SecuriteInfo.com.W32.AIDetectNet.01.27397.exe 3 2->9         started        12 bgnFA.exe 2 2->12         started        process3 file4 43 Multi AV Scanner detection for dropped file 6->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->45 47 Machine Learning detection for dropped file 6->47 14 bgnFA.exe 2 6->14         started        18 bgnFA.exe 6->18         started        27 SecuriteInfo.com.W...et.01.27397.exe.log, ASCII 9->27 dropped 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->49 20 SecuriteInfo.com.W32.AIDetectNet.01.27397.exe 2 5 9->20         started        signatures5 process6 dnsIp7 51 Tries to harvest and steal ftp login credentials 14->51 53 Tries to harvest and steal browser information (history, passwords, etc) 14->53 55 Installs a global keyboard hook 14->55 29 mail.gpd-qatar.com 50.87.253.110, 49771, 49853, 587 UNIFIEDLAYER-AS-1US United States 20->29 31 192.168.2.1 unknown unknown 20->31 33 windowsupdatebg.s.llnwi.net 20->33 23 C:\Users\user\AppData\Roaming\...\bgnFA.exe, PE32 20->23 dropped 25 C:\Users\user\...\bgnFA.exe:Zone.Identifier, ASCII 20->25 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->57 59 Tries to steal Mail credentials (via file / registry access) 20->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->61 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f513e933988ba3b2b38b1a15589a3d0246f2b7c046114fffa0ccf2b7fb4282b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 02:37:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5it5ezzrc5dwkzywgqvlcnd2asg6k34arqrj772bthsw75ufavq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6cfbf205225e6ba71eb7f9d214e2d93d932946eb7ff5821f9027c589a4e2ae77
AgentTesla
7bf4272ee9d4a8e8c5e18d07faa5190f311cd1d32b928bf4bcab080a0af9adef
AgentTesla
a3f9e56d46a016d315e5e84179143112b6bca3433ec281476d2360e66c1bba7f
AgentTesla
b826516b9fe4412f730527fa84dd3f1f927b58c933fad403dc64e54815cb147a
AgentTesla
e47a0c52865bd0c492469ac52a6a11e9fe65c2317dc022a3c8164f03f0be9ebc
AgentTesla
ecd614a1063fef293aad824e9237119d2943fb184bb6496eeb74e5807c05bf02
AgentTesla
ff27368e4af5109ffce1cedd527fd833940aa61dd68d060dd95e9a984e26ebd2
AgentTesla
+ 20'447 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220801-fddprsada7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/f754081c-5470-43cf-bbca-f2d492dc1783/
SH256 hash:
da20b094a431061d31b90610f688ce0b1d68a52dd19f3de20fef7447c47fa83a
MD5 hash:
9b8e9ba106209ee88338935231853f4b
SHA1 hash:
9716419c98f47835d3edfaa0b991b579688a731f
Link:
https://www.unpac.me/results/f754081c-5470-43cf-bbca-f2d492dc1783/
SH256 hash:
5dc8c71d42e9ec0e499a56995c34c7dc8ef57be6c46f10e1e071383771389f1b
MD5 hash:
5f7268b1941c9396828e7c5cf2554635
SHA1 hash:
6b12ced50e215b38ff7f604652ec08285dd6d34e
Link:
https://www.unpac.me/results/f754081c-5470-43cf-bbca-f2d492dc1783/
SH256 hash:
5554daa82d5b140520de57afecfccf31dd1c390c73a3541bc04b334369b6cb5e
MD5 hash:
d417b820499b039d81dfe00e6c6857bf
SHA1 hash:
59019a50928ede9138b17f1d7083cf309a7d65c5
Link:
https://www.unpac.me/results/f754081c-5470-43cf-bbca-f2d492dc1783/
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
Link:
https://www.unpac.me/results/f754081c-5470-43cf-bbca-f2d492dc1783/
SH256 hash:
5f513e933988ba3b2b38b1a15589a3d0246f2b7c046114fffa0ccf2b7fb4282b
MD5 hash:
1090413a7a7d4443482295471d7b6e7a
SHA1 hash:
87d2ce927b616d63470081fc5fe154efcfa8aa03
Link:
https://www.unpac.me/results/f754081c-5470-43cf-bbca-f2d492dc1783/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f513e933988/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f513e933988ba3b2b38b1a15589a3d0246f2b7c046114fffa0ccf2b7fb4282b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295453/

Comments