MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5cc6999416a62827fc86dc9b6a3f5b0ee3546986af845722ec0d019c8c30f6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5cc6999416a62827fc86dc9b6a3f5b0ee3546986af845722ec0d019c8c30f6b
SHA3-384 hash: 195e63bea50419a0bc55295553982f4d0a353a8d908e0d50f052e0e5d28d79ff3dd56bff364d30df0f4262a006d02f8b
SHA1 hash: c1e1657b8e4768b9c9886756b36715451adc67f9
MD5 hash: 7ae31295f30f130914053f4c832c6fd7
humanhash: fanta-fifteen-nuts-fix
File name:PO ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:699'392 bytes
First seen:2020-07-09 06:33:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6558f8c55c7046860294c7f6ce6c298 (14 x AgentTesla, 5 x FormBook, 3 x Loki)
ssdeep 12288:gk7Yi4Xj/tQBWi/y67k86oxVOwBEfcS2rjS2axoBNaDqIilL8:B14/oDnsUgk1FrjSJUYD9KL8
Threatray 11'775 similar samples on MalwareBazaar
TLSH 2FE4AF22E2E04433F37316399D17D77C5836BE313E695A4B2BE55D4C6E3828238662B7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps.zedenect.com
Sending IP: 45.95.169.29
From: Xincheng Industries Co.,Ltd. <CA_EMEA_Italy@clariant.com>
Subject: Fwd: Re: Order
Attachment: PO ORDER.zip (contains "PO ORDER.exe")

AgentTesla SMTP exfil server:
mail.elkat.com.my:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23406/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.6016.5488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5cc6999416a62827fc86dc9b6a3f5b0ee3546986af845722ec0d019c8c30f6b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 06:35:08 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxggtgkbnjrie76inxe3ni7vwdxdkruynl4ek4roydibtsgdb5vq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
11cbefd8e1c96efcac9c45d4da8d3ceadfe82666c6513a5d09586bfe24139bed
AgentTesla
2cd161bf9ebb0ee90df07f509117a39b149f304cfbee67284046402ea406a1c4
AgentTesla
35f0e8ca3bab29cfdf15c42ba6879af714ee203082d9cffc70a0b05e4eaae0ed
AgentTesla
420da876f8efdf70da0ec0ccd1b7aaa09547b6868d5fc655c05b50eadf20c360
AgentTesla
5dbe09570ca27d28729eb1ad2da43e91349226a7f1673c07bc88411f773d7edb
AgentTesla
83d8b3913153282a251fc2f7bf74f701e02969441341297823957e5d35a5c3b0
AgentTesla
8f746ab02591cecc45226d28bf483dff6616f697c1d79f8d1daddd5e8ba1d764
AgentTesla
a6290ccc075d6f4d66eb6bdb5a1e36ef943eddeeead1460e9089564580f36271
AgentTesla
e91593299dba4d7f9362c8d64e701413af0384f0f7ecca356ab138497f3a8e4d
AgentTesla
f16ce2e727287e9b40a9d148b2b6b3c8ba538be0e5e5b5d50829813907fa4194
AgentTesla
+ 11'765 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200709-mfwxerf71x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 195c10c6a1b2c955de3f8eb6fed550e0f805f85e2f9ec3012c7abfb7b8ec04e2

AgentTesla

Executable exe b5cc6999416a62827fc86dc9b6a3f5b0ee3546986af845722ec0d019c8c30f6b

(this sample)

  
Dropped by
MD5 eb7fe4687b346b69e73ba37dadfd9079
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23406/
  
Dropped by
SHA256 195c10c6a1b2c955de3f8eb6fed550e0f805f85e2f9ec3012c7abfb7b8ec04e2

Comments