MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5346cc75271fe0e7f133be6d6a7cf731cf1e88b68ff7c9b031a6da67c172f8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5346cc75271fe0e7f133be6d6a7cf731cf1e88b68ff7c9b031a6da67c172f8d
SHA3-384 hash: 252a2459f13d7c45b6398dd0f8088e83ef683b948011f6a984f1402c6fefc8ae3afc7634bc06d5ca816ba465bc94f3a1
SHA1 hash: d970a32f697103d418ceb7f0907ef6843c5f9435
MD5 hash: 03106f0659a6fef88431749b12156537
humanhash: michigan-london-zebra-bulldog
File name:Payment_pdf.com
Download: download sample
Signature AgentTesla
Create hunting rule
File size:30'968 bytes
First seen:2021-02-22 19:11:11 UTC
Last seen:2021-02-26 05:07:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 768:gFj58bTpko2hftD9h5UWeLqGyEVk4BNEpb6AiZQtQBQ/Mh:gFj5YpuhfF9fUWePqrb6xZMK
Threatray 2'799 similar samples on MalwareBazaar
TLSH 8DD24C028C27B97EE0DB5F395274C50B4A382A0795B2D82F7EC4B877465BA035C76E2D
Reporter abuse_ch
Tags:AgentTesla com

Intelligence

File Origin
# of uploads :
8
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118387/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DGB.genEldorado.7201.15291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Adding exclusions to Windows Defender
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614484
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356251 Sample: Payment_pdf.com Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 54 mail.royalhotelapartmentet.com 2->54 56 coroloboxorozor.com 2->56 58 3 other IPs or domains 2->58 72 Yara detected AgentTesla 2->72 74 Executable has a suspicious name (potential lure to open the executable) 2->74 76 Machine Learning detection for sample 2->76 78 5 other signatures 2->78 8 Payment_pdf.exe 17 6 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 60 coroloboxorozor.com 172.67.172.17, 49712, 49721, 49735 CLOUDFLARENETUS United States 8->60 50 C:\Windows\Cursors\...\svchost.exe, PE32 8->50 dropped 52 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->52 dropped 94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->94 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->96 98 Creates multiple autostart registry keys 8->98 106 4 other signatures 8->106 19 Payment_pdf.exe 2 5 8->19         started        23 WerFault.exe 23 9 8->23         started        25 cmd.exe 1 8->25         started        27 powershell.exe 25 8->27         started        29 svchost.exe 13->29         started        100 Drops executables to the windows directory (C:\Windows) and starts them 15->100 32 svchost.exe 15->32         started        62 127.0.0.1 unknown unknown 17->62 64 192.168.2.1 unknown unknown 17->64 102 Changes security center settings (notifications, updates, antivirus, firewall) 17->102 104 Machine Learning detection for dropped file 17->104 34 WerFault.exe 17->34         started        file6 signatures7 process8 dnsIp9 44 C:\Users\user\AppData\Roaming\...\CZVkY.exe, PE32 19->44 dropped 46 C:\Users\user\...\CZVkY.exe:Zone.Identifier, ASCII 19->46 dropped 80 Moves itself to temp directory 19->80 82 Creates multiple autostart registry keys 19->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->84 48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->48 dropped 36 conhost.exe 25->36         started        38 timeout.exe 1 25->38         started        40 conhost.exe 27->40         started        66 coroloboxorozor.com 29->66 86 System process connects to network (likely due to code injection or exploit) 29->86 88 Machine Learning detection for dropped file 29->88 90 Adds a directory exclusion to Windows Defender 29->90 42 powershell.exe 29->42         started        68 104.21.71.230, 49680, 49687, 49723 CLOUDFLARENETUS United States 32->68 70 coroloboxorozor.com 32->70 92 Hides threads from debuggers 32->92 file10 signatures11 process12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5346cc75271fe0e7f133be6d6a7cf731cf1e88b68ff7c9b031a6da67c172f8d/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 19:12:07 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yu2gzr2soh7a47ythptnnj6pomopd2elnd7xzgyddjw2m7axf6gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
586409e98ade6e754cfba0bd0aec2e8690a909c41cebac4085cad6f79d9676b4
AgentTesla
65b75cee62573656b9a894f439da073433c735e6c7bb539321194f95cd5a8074
AgentTesla
7a39af512f69ee9235b6b5e199beb2313a42ce4d6ec9b610c6e54a131c415bd8
AgentTesla
8905819fcaa0d71e50cc1ec90e32258967e011878efb78f8db8893ad04a98174
AgentTesla
98712ca737a8d8cddc09bd41dbae64ccc816d5a846da270615108bac7023e19d
AgentTesla
acf949e60ec1fa015f83ea1d7caa8810bc0ccb28b99cab88f3d162819a526cab
AgentTesla
d8c590e11c422a5cf6b2a1f8ddceee64805d063739d0e83c234bdcabae9e3700
AgentTesla
e40b50918c860d686479a98167208e4104471d38708d82f267b4cedc4242ace2
AgentTesla
fd9b51a831b2bebf0dbb8729527ebcfc32c927e0b6f9911b31bf29dfaf181d0d
AgentTesla
fe378f1e009b2b77c3e08de81d767a79fee3bce433810158b3be3d470baac6b7
AgentTesla
+ 2'789 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210222-53sz1wnttn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla Payload
AgentTesla
Windows security bypass
Unpacked files
SH256 hash:
c5346cc75271fe0e7f133be6d6a7cf731cf1e88b68ff7c9b031a6da67c172f8d
MD5 hash:
03106f0659a6fef88431749b12156537
SHA1 hash:
d970a32f697103d418ceb7f0907ef6843c5f9435
Link:
https://www.unpac.me/results/59a1c1de-b49e-462b-81ce-666e72b0533b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5346cc75271fe0e7f133be6d6a7cf731cf1e88b68ff7c9b031a6da67c172f8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c5346cc75271fe0e7f133be6d6a7cf731cf1e88b68ff7c9b031a6da67c172f8d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118387/

Comments