MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb5f661c2d85c4e1156418cf0567e4a3d01c7190dad1073a40bf74cae0ffdb9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb5f661c2d85c4e1156418cf0567e4a3d01c7190dad1073a40bf74cae0ffdb9e
SHA3-384 hash: aaee9f32e813c792be086de8c195f4201fe7c00f5217182cc41af92fb8e08e01f36c4342248549c16e38e79d0b1e68eb
SHA1 hash: 27d6a3d74f18ac80f2c31e4ac6a55e6e4f86781e
MD5 hash: ad37c4fbd16cf5a352fa7d1c305ea3a3
humanhash: beer-march-bulldog-bulldog
File name:Quote.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:605'184 bytes
First seen:2020-11-07 10:17:08 UTC
Last seen:2020-11-13 15:40:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:73ZlHBieick4X5dbjIKwWmueQfRNbLHi:THBpicxT4ZmZNHi
Threatray 1'019 similar samples on MalwareBazaar
TLSH FCD4BE3252B80B94E07FAF79D1AD784D1BF1B0529311E64EEF9C13BD64E1E818672E12
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: iflytek.com
Sending IP: 36.7.172.15
From: 储佳佳 <jjchu3@iflytek.com>
Subject: QUOTE USD PRICED FOR ATTACHED
Attachment: Quote.zip (contains "Quote.exe")

AgentTesla SMTP exfil server:
server266.web-hosting.com:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.14521.3723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/523760
Signature
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb5f661c2d85c4e1156418cf0567e4a3d01c7190dad1073a40bf74cae0ffdb9e/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 22:23:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnpwmhbnqxcocfleddhqkz7eupiby4mq3liqoosax52mvyh73opa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
288e38a633a49c3a30c842250ef331f22201b2acee124e9b108d498b28cb2ba3
AgentTesla
310f5815e8e68ccdf1d75985e8fbbe6b3b9a6997155505d97066d75c6ab9ced7
AgentTesla
51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9
AgentTesla
586eadfc1fef3d64e165d65502aa2e27ef8a4ab4079ac1e4d96d4f65e0126a6f
AgentTesla
5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe
AgentTesla
6ea11326c3a5f1868bc3e68659b48bc00a0ac1eaa5941d40c0d0c42c039aad85
AgentTesla
a94b1b1f02dbaf0895a93de9df8603115501866ce76a147cb2e4330b0894b928
AgentTesla
a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641
AgentTesla
f39b3fc42fd8089d99eae4cb1ecead6e3d772007d766c1f982ab1834af68dc00
AgentTesla
+ 1'009 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201107-d1mtz4rs5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bb5f661c2d85c4e1156418cf0567e4a3d01c7190dad1073a40bf74cae0ffdb9e
MD5 hash:
ad37c4fbd16cf5a352fa7d1c305ea3a3
SHA1 hash:
27d6a3d74f18ac80f2c31e4ac6a55e6e4f86781e
Link:
https://www.unpac.me/results/3427e5ca-414d-4c9a-bda0-bb91bc7c6649/
SH256 hash:
ffb8b8bfaa9b9114f4551cfabe31e62fc2e55813ad79958261d13ef96e98a758
MD5 hash:
8de810866e546bf4eba270eb27ec7505
SHA1 hash:
2527c2c4ccb004a29315b5829539b0077af8a206
Link:
https://www.unpac.me/results/3427e5ca-414d-4c9a-bda0-bb91bc7c6649/
SH256 hash:
8bbe9bd2456e32536aef3aca407806f964ab8967ff828c6696098b70cd6f5fb6
MD5 hash:
d82f5e165e6141863c37e18af74b4bb4
SHA1 hash:
a46ca80089db247111984bdfeec6a55c85249ac1
Link:
https://www.unpac.me/results/3427e5ca-414d-4c9a-bda0-bb91bc7c6649/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/3427e5ca-414d-4c9a-bda0-bb91bc7c6649/
SH256 hash:
b5cb3b571b23a7d1384921f0f08efc050d54e2de48f2e88adb69ba1492d17ee2
MD5 hash:
51f553591712b63a8e6efa2523fa8e79
SHA1 hash:
f916b2c2b7f2cfe224334f6f6af49231b67e297a
Link:
https://www.unpac.me/results/3427e5ca-414d-4c9a-bda0-bb91bc7c6649/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5bdc7542054db176843dc80f52316fe4961254ed557bd3e9afc5a4711b2cd370

AgentTesla

Executable exe bb5f661c2d85c4e1156418cf0567e4a3d01c7190dad1073a40bf74cae0ffdb9e

(this sample)

  
Dropped by
MD5 5fe083b626c6341f3670054ea21f119e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5bdc7542054db176843dc80f52316fe4961254ed557bd3e9afc5a4711b2cd370

Comments