MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5cf6e34c00c5f0909467f20d071c313c26d8e8849dc920908d3df27d7256506. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5cf6e34c00c5f0909467f20d071c313c26d8e8849dc920908d3df27d7256506
SHA3-384 hash: 9775e6ce7876faa44e630424994d4b2ca3ddb30ef598e67f0a3f1ed9c05a342d4f812a97944851b6711dc87b32d9d0c3
SHA1 hash: 10f00e63044b9cd54244505c7189aa1c29f735b7
MD5 hash: e6a3425c04f036dcd5d5dfbf4d343eca
humanhash: robert-idaho-oregon-potato
File name:Inv,Delivery note.jpg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:33'280 bytes
First seen:2022-05-11 05:14:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:T3Am0DLALa8XViZ6wIs6TT9h83OGXzfKDVFKti/xynLk39Q3AM:muZS6Rs69h83OGXzk3WLS9Sx
Threatray 2'556 similar samples on MalwareBazaar
TLSH T1ABE2F81037A8E964ECA548308C13F3742A30FD96B9525B7763C4A6CFEC33585EE725A8
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 8007c6888c8990b2 (2 x DanaBot, 2 x RemcosRAT, 2 x Wapomi)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269599/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/627b466fbd5c76586e2c437b/reports/fb006423-810b-4f05-bf33-6231b3732638/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/86f50570-b7a8-43a7-9fa9-391e3dcb57c6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/991610
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5cf6e34c00c5f0909467f20d071c313c26d8e8849dc920908d3df27d7256506/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 22:22:36 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
20
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxhw4ngabrpqsckgp4qna4odcpbg3duijhojecii2ppspvzfmuda._file
Verdict:
malicious
Similar samples:
3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50
AgentTesla
4464483a19cb1ad8b1bac91be04eaf972807cdb48f10b1fc5b675563ba1fe350
AgentTesla
526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843
AgentTesla
791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544
AgentTesla
abe4dfebcc520433a7e9d2f95b0cd46ff6e05c754b046cdb8fd0a72583259332
AgentTesla
b2de4d6e7f10dbe1d2f5e91e3122f640494a76d6d8a6ffcb6fc9861170dc4123
AgentTesla
+ 2'546 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220511-fxkbnafgf9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5353503679:AAEJ2PXDCuq1nn55H7AnHpcP0d_3E3empJM/sendDocument
Unpacked files
SH256 hash:
b5cf6e34c00c5f0909467f20d071c313c26d8e8849dc920908d3df27d7256506
MD5 hash:
e6a3425c04f036dcd5d5dfbf4d343eca
SHA1 hash:
10f00e63044b9cd54244505c7189aa1c29f735b7
Link:
https://www.unpac.me/results/c282c255-bf40-44bb-83bb-ed9184406173/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5cf6e34c00c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5cf6e34c00c5f0909467f20d071c313c26d8e8849dc920908d3df27d7256506

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 4f0c88afd74d2b32aaced97e4dc024c5e10d5a6fb4cf929adf8bc654d98407d5

AgentTesla

Executable exe b5cf6e34c00c5f0909467f20d071c313c26d8e8849dc920908d3df27d7256506

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4f0c88afd74d2b32aaced97e4dc024c5e10d5a6fb4cf929adf8bc654d98407d5
Cape
Cape
https://www.capesandbox.com/analysis/269599/
  
Dropped by
MD5 d1f0427af81218f5ec55bce19c797b25

Comments