MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f92965f40b8e0f0b73a0aab84e145591f738ef12cfbe8472f1b908b53c19ce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f92965f40b8e0f0b73a0aab84e145591f738ef12cfbe8472f1b908b53c19ce0
SHA3-384 hash: 70e9c6236b3345a8ca73633c2fdd8160ee8d13d61bce60d037fbedd8618edecae1951a4e6f1301fe608892d87da64cf8
SHA1 hash: 5fb33d7bde970e85166fe3d168cd789997533841
MD5 hash: 3a62e077c1da8b24c5c64c45075f6c36
humanhash: vermont-golf-johnny-september
File name:57901002.jpg
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'164'800 bytes
First seen:2020-08-19 14:43:57 UTC
Last seen:2020-08-19 15:47:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:HKNLdi936Az8BnYORTeNKC8JxawwaJmBM5smgYp:HKNLdi93F85YOvhCM5sR
Threatray 10'586 similar samples on MalwareBazaar
TLSH 9645A5242B8544D4DA390E3134345D935735BECA3A68CB1F699B36D9DF3318B3A2E1CA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.sgbcg.com
Sending IP: 113.11.251.241
From: Mrs Christina Khor <Account1@sendmystuffs.com.sg>
Subject: RE: INTERNATIONAL OFFSHORE SOA FOR AUGUST 2020
Attachment: 57901002.xls

AgentTesla payload URL:
http://13.231.151.34/w3/57901002.jpg

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48657/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Krypt.12.18708.25956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/438579
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Sigma detected: Add file from suspicious location to autostart registry
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271768 Sample: 57901002.jpg Startdate: 20/08/2020 Architecture: WINDOWS Score: 76 34 Yara detected AgentTesla 2->34 36 Sigma detected: Add file from suspicious location to autostart registry 2->36 38 .NET source code contains very large array initializations 2->38 7 57901002.exe 7 2->7         started        10 pcalua.exe 1 2->10         started        12 pcalua.exe 1 1 2->12         started        process3 file4 28 C:\Users\user\AppData\Roaming\rg.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->30 dropped 32 C:\Users\user\...\rg.exe:Zone.Identifier, ASCII 7->32 dropped 14 rg.exe 2 7->14         started        17 cmd.exe 1 7->17         started        19 rg.exe 3 10->19         started        process5 signatures6 42 Writes to foreign memory regions 14->42 44 Allocates memory in foreign processes 14->44 46 Injects a PE file into a foreign processes 14->46 21 InstallUtil.exe 2 14->21         started        23 reg.exe 1 1 17->23         started        26 conhost.exe 17->26         started        process7 signatures8 40 Creates an autostart registry key pointing to binary in C:\Windows 23->40
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f92965f40b8e0f0b73a0aab84e145591f738ef12cfbe8472f1b908b53c19ce0/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 07:51:21 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6jjmx2axdqpbnz2bkvyjykflepxhdxrft56qrzpdoiiwu6bttqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d4d3af44ed0aa3154be8537fa238439090826f9f5cc264b967e60699f0e9d4a
AgentTesla
0e928609807c597f7046341f0a335738ae8efa905be3c51de1f47d3c5ffb1996
AgentTesla
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
3bfaa6286d8fbef05f151d5187b10b0d1db59112e36da9240e240c28a143b624
AgentTesla
6c7624c020bb11d5803286dc0fc1d9ee44d21be97207573051bcd322091a731b
AgentTesla
a1077b012372849e6b3db7818210e573678d9c2154c5431a7a48abb2868a839f
AgentTesla
a348251ca8856d6984701e79b0946e27410542a8d6769bc0d902239ff41efc9f
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
ef7a8f1478e57d2dedf96a00501903b7b5a571680286502f2f329ed2c8728b2b
AgentTesla
f242ad8f253e4e481529cffa7b3d697683649ba31b8c8500f2d24d2bf591e553
AgentTesla
+ 10'576 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
agilenet keylogger stealer persistence trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200819-lapc4jyv7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f92965f40b8e0f0b73a0aab84e145591f738ef12cfbe8472f1b908b53c19ce0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xls c3ea9db07e0d439866c3789f94c83043f0ace2bc6a6d1ca42d487b83c96ac6a1

AgentTesla

Executable exe 5f92965f40b8e0f0b73a0aab84e145591f738ef12cfbe8472f1b908b53c19ce0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/436647/
  
Dropped by
MD5 baadea03921d91188938d5bd6074c630
  
Dropped by
SHA256 c3ea9db07e0d439866c3789f94c83043f0ace2bc6a6d1ca42d487b83c96ac6a1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/48657/

Comments