MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fcffc9f46e639452bab10ecbd5561232c83bfa938d45b24e1e753c2324acacf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	5fcffc9f46e639452bab10ecbd5561232c83bfa938d45b24e1e753c2324acacf
SHA3-384 hash:	78310b0ff3677076923b4df5d5b81561db7f7ffda6dc7f74934a0544e841a571d75547d7c89c1926630b96fe00ff22f8
SHA1 hash:	5d43f2c786fe49ebb27a20236ba44d75bd7c9f73
MD5 hash:	49288f85b41a830dec4f0beb45a80a77
humanhash:	dakota-summer-colorado-vegan
File name:	offer sheet for international business enquiry - fill the file attached about your company.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	617'472 bytes
First seen:	2021-02-08 09:03:40 UTC
Last seen:	2021-02-08 10:53:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:4faH130Cod3dKas/DA2GnK09cv8BjNa7RsRdAA:WaH1376wA2Gn8Uo4A
Threatray	2'491 similar samples on MalwareBazaar
TLSH	EFD49DE173408A64D47B97388536956326F3A60ECE69CA0D3DD6FF4B7D723424023A9B
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

offer sheet for international business enquiry - fill the file attached about your company.exe

Verdict:

Malicious activity

Analysis date:

2021-02-08 09:06:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4a580b1e-5a8e-47d7-acbb-fe66fcf7548b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/116025/

Detection(s):

SecuriteInfo.com.Variant.Ser.Ursu.7782.7674.11675.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/601627

Signature

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5fcffc9f46e639452bab10ecbd5561232c83bfa938d45b24e1e753c2324acacf/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-08 08:47:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l7h7zh2g4y4ukk5lcdwl2vlbemwihp5jhdkfwjhb45j4emskzlhq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

50534ba28f7816d167a68906737cb6fc77a40d48395dd3662fac75d8b9fd0228

AgentTesla

5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd

AgentTesla

92d9b1922bebbb60f7ca75eb99220f92bbdf687af32a4a966ec90fd562dfe96e

AgentTesla

a28923dedd3df222c1cec68d96cfe47e803d45956aa9e4b011856f135d4e105d

AgentTesla

b781df66caf45fdac58f73a6afef70d175ba9a2cbac69f1b55386d90d5e847a4

AgentTesla

c37b36375c43623e1e11c9df83bc8b0a5fe77ca20851330d59fa491695a14437

AgentTesla

dfd350ff1a1ee6f495e22f985909ce95f75dcfab4d27318ca208f31a560888f1

AgentTesla

e290a382d4dd65d349efa235b0c6b7a9f488eaa69b319d4b3a148823a00c9d07

AgentTesla

e998f0cbd6aef5d5efa2405caccf5594bdff5e18383a8aeccc26caa6b49a1ee0

AgentTesla

+ 2'481 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

ransomware spyware

Link:

https://tria.ge/reports/210208-9fckge6rr2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

8120c91b039d104eb881a94e4d7a0f202a946ce9400e8610b766e8063e01c305

MD5 hash:

690de10d398463ccdce67363a2ffa9b3

SHA1 hash:

ef655c3f238a1b1cefa3716496a0128859d539b8

Link:

https://www.unpac.me/results/93133b83-0471-4c95-a5f8-e9e0d7751fc1/

SH256 hash:

d60efcd50a23d1d94e9c6c1d62ae98989985f87533d86180d366f8ffd85d9197

MD5 hash:

29baf873f52ca475e2a3ce3b2903007f

SHA1 hash:

a3323d7b257802347139eae17dbf89f3a391f045

Link:

https://www.unpac.me/results/93133b83-0471-4c95-a5f8-e9e0d7751fc1/

SH256 hash:

2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849

MD5 hash:

befb0470c71d676cc891cba16088975d

SHA1 hash:

5b7143f97d1d656fd1cacf70949048c1951b639a

Link:

https://www.unpac.me/results/93133b83-0471-4c95-a5f8-e9e0d7751fc1/

SH256 hash:

5fcffc9f46e639452bab10ecbd5561232c83bfa938d45b24e1e753c2324acacf

MD5 hash:

49288f85b41a830dec4f0beb45a80a77

SHA1 hash:

5d43f2c786fe49ebb27a20236ba44d75bd7c9f73

Link:

https://www.unpac.me/results/93133b83-0471-4c95-a5f8-e9e0d7751fc1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5fcffc9f46e639452bab10ecbd5561232c83bfa938d45b24e1e753c2324acacf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MAL_RANSOM_COVID19_Apr20_1 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/