MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
SHA3-384 hash: ca5586a60897f059a75d13fd91f2388bbea86f9bf00c55b0ba696093cd3ed8e32fbaf4334fcdc83efc928e72d6f753cf
SHA1 hash: ada3f9cf06008cba824e4bcda68f80da99d13893
MD5 hash: 4252062a013af0c7953e4d14fe646e93
humanhash: monkey-ceiling-robin-seventeen
File name:PAYMENT NOTICE.Scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:806'912 bytes
First seen:2022-12-12 12:45:04 UTC
Last seen:2022-12-12 14:36:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:UraCDwovMPVLs5pcMrQJ63f81b34B5O8f:4aSJMPJGrQJ6vYr4jO8f
Threatray 23'549 similar samples on MalwareBazaar
TLSH T11B054B0CF3488D2AFDAA87FC369244DE609E548C783077D08685E0F9B678DAE67CB554
TrID 49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.7% (.SCR) Windows screen saver (13097/50/3)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 0c525252c9c4e42b (3 x AgentTesla, 2 x Formbook)
Reporter cocaman
Tags:AgentTesla exe payment scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PAYMENT NOTICE.Scr
Verdict:
Malicious activity
Analysis date:
2022-12-12 12:48:00 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/2a0eb134-8306-4ef7-94d7-8085782e5e4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345429/
Detection(s):
SecuriteInfo.com.Variant.MSIL.Bladabindi.6.16697.13111.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6397228ba2c2485912c8057c/reports/4697394b-07c4-4b43-8ff4-40a7633ecd20/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90220a44-0f60-4012-9871-ff1fd74b5ec9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132619
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 765343 Sample: PAYMENT NOTICE.Scr.exe Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 Sigma detected: Scheduled temp file as task from temp location 2->71 73 8 other signatures 2->73 8 PAYMENT NOTICE.Scr.exe 3 6 2->8         started        11 mrYHLrofvW.exe 2->11         started        process3 file4 45 C:\Users\user\AppData\LocalNePRdcnFKm.exe, PE32 8->45 dropped 47 C:\Users\user\...\PAYMENT NOTICE.Scr.exe.log, ASCII 8->47 dropped 14 LocalNePRdcnFKm.exe 6 8->14         started        18 AcroRd32.exe 42 8->18         started        79 Multi AV Scanner detection for dropped file 11->79 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->81 83 May check the online IP address of the machine 11->83 85 3 other signatures 11->85 20 mrYHLrofvW.exe 11->20         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 49 C:\Users\user\AppData\...\mrYHLrofvW.exe, PE32 14->49 dropped 51 C:\Users\user\AppData\Local\...\tmpCAF1.tmp, XML 14->51 dropped 87 Multi AV Scanner detection for dropped file 14->87 89 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->89 91 May check the online IP address of the machine 14->91 101 5 other signatures 14->101 25 LocalNePRdcnFKm.exe 14->25         started        29 powershell.exe 21 14->29         started        31 powershell.exe 21 14->31         started        33 schtasks.exe 14->33         started        35 RdrCEF.exe 77 18->35         started        53 work-toolz.click 20->53 55 api4.ipify.org 20->55 57 api.ipify.org 20->57 93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->93 95 Tries to steal Mail credentials (via file / registry access) 20->95 97 Tries to harvest and steal ftp login credentials 20->97 99 Tries to harvest and steal browser information (history, passwords, etc) 20->99 37 conhost.exe 23->37         started        file8 signatures9 process10 dnsIp11 59 api4.ipify.org 64.185.227.156, 443, 49695, 49697 WEBNXUS United States 25->59 61 work-toolz.click 108.170.55.202, 49696, 49698, 587 SSASN2US United States 25->61 63 api.ipify.org 25->63 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->75 77 Tries to steal Mail credentials (via file / registry access) 25->77 39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        65 192.168.2.1 unknown unknown 35->65 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-12-04 23:21:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
35 of 40 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5pzrqm7rcpedknhhomr5zfo3suqavpyjcuewfcbvzc35djyb5wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1077d3daea82b7cb84943204ccfc70ee040676a305d7027c7980512b3da80f53
AgentTesla
10a93da7c42086684ef092f01843f6e69393d91222fe6ee894d4cee54a8715cd
AgentTesla
2ac99a0d6380c05c5cd8062d20855f96cc600cc22412c3dc1117b040dca19c00
AgentTesla
3a940b88c6cc22f5051a10c4b437cfb72aa9aad9e0bcb15c18a83116e80739d4
AgentTesla
3f08f63c3f336f3823c710a40e674421bbc6316e0088e0989d1ac06085bc5b62
AgentTesla
5e63926b7ce5fb0d4bc1363397c655d0c3b29114497308db183b124b048c033f
AgentTesla
624986bf92ce4a3301888ca62e5e20b19d4b662862fb2289d87865a3d67b206d
AgentTesla
b02d61086cfa6f876e71f4eb2ba5bae874887cf3ef87c339cc634151a388f679
AgentTesla
b7394e25936c4fd44716fcdcce914a35c0cdb0980e4527035681df4f800520e7
AgentTesla
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
AgentTesla
+ 23'539 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221212-py4lcsbd26/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f96ddbac-01e5-4ecb-b442-0078349c8ff4
Unpacked files
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/2622a768-8ce5-46ce-b415-f078330a9a56/
SH256 hash:
841ccdbf075cbbb532affe193d7fa4e556f853edf9d1b5d282a9b0ae5dac863b
MD5 hash:
9ebb397e4d5f64175fc3199603e06093
SHA1 hash:
b7f6b59df0155f0977769e0252c38b6d163b3c22
Link:
https://www.unpac.me/results/2622a768-8ce5-46ce-b415-f078330a9a56/
SH256 hash:
92f5824035b5f20177b6957be322a82aa98e53968fc375bd91caa633d1590be9
MD5 hash:
5bbe72f90a138a56801ef8f00b6041a2
SHA1 hash:
9a980d0ce6d3c57dae20b74b87f9e62c4004dfef
Link:
https://www.unpac.me/results/2622a768-8ce5-46ce-b415-f078330a9a56/
SH256 hash:
d3fbde70f75e3a3f92fd38bfd950305afb8201b99ce74be476988aed74dd43c0
MD5 hash:
6f063fffb2472cd94effe915ec20c104
SHA1 hash:
56088ce64ea65d3fbc68b72d41b81dea8dab5f16
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/2622a768-8ce5-46ce-b415-f078330a9a56/
Parent samples :
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
900f7aff738126f83c3181410a3909ebbf1de94a75fe4ec1a74532252124e36c
SH256 hash:
9e297d8deae8074320297684a9af8086f1463d7f1583c3d75fbc0458ab6b9050
MD5 hash:
d9744cdfe93ca02f353c4047ddeaf461
SHA1 hash:
162c5634c6ebb9249a8f83080015de4090dbfed5
Link:
https://www.unpac.me/results/2622a768-8ce5-46ce-b415-f078330a9a56/
SH256 hash:
29e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b
MD5 hash:
cf358bc6184346eb189370a89efb4faa
SHA1 hash:
4cc15bf7e60150cce098c5e905702d3038996e46
Link:
https://www.unpac.me/results/2622a768-8ce5-46ce-b415-f078330a9a56/
SH256 hash:
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
MD5 hash:
4252062a013af0c7953e4d14fe646e93
SHA1 hash:
ada3f9cf06008cba824e4bcda68f80da99d13893
Link:
https://www.unpac.me/results/2622a768-8ce5-46ce-b415-f078330a9a56/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f5f98c19f88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz e9d14bdd00761e9462fcdd8ea01e8868beb5b61b216374d8bb1fa52ea58ed3aa

AgentTesla

Executable exe 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e9d14bdd00761e9462fcdd8ea01e8868beb5b61b216374d8bb1fa52ea58ed3aa
Cape
Cape
https://www.capesandbox.com/analysis/345429/
  
Dropped by
MD5 c34d2608fabf3331edfa22491d4c91c4

Comments