MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff
SHA3-384 hash: 40693aac5f4b845238c8f70306c43dcea96912a945047defc0caa10d3e7d6739ade4f4e1a5832827e6725ff8cc9fe194
SHA1 hash: 36bde31dc097245915cd48f5f364126fbe8a2da0
MD5 hash: 5a52f658d7ac037dbf02a51f84bb41fb
humanhash: red-pennsylvania-coffee-beryllium
File name:Proforma Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:599'552 bytes
First seen:2020-10-10 07:08:01 UTC
Last seen:2020-10-14 10:10:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DGklKBPdVcPQTBjwCYXrBHhESn8ra5Z29rAYUotjkUIXeWZ8+p:oB7798H2QYR7tQeWJ
Threatray 442 similar samples on MalwareBazaar
TLSH C8D4DFBF265C2B27C16C007E4658800D5EECF85A4DB2FD35EDEA30A5A2D15CCAE92573
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ns10.metro.net.bd
Sending IP: 103.36.103.52
From: service@made-in-china.com
Subject: Proforma Invoice with Revised Payment..
Attachment: Proforma Invoice.zip (contains "Proforma Invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69718/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487448
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296166 Sample: Proforma Invoice.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 12 other signatures 2->47 7 Proforma Invoice.exe 1 7 2->7         started        process3 file4 33 C:\Users\user\AppData\...\IZEFEgUpAZCDv.exe, PE32 7->33 dropped 35 C:\...\IZEFEgUpAZCDv.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpF6DC.tmp, XML 7->37 dropped 39 C:\Users\user\...\Proforma Invoice.exe.log, ASCII 7->39 dropped 49 Injects a PE file into a foreign processes 7->49 11 powershell.exe 25 7->11         started        13 powershell.exe 22 7->13         started        15 powershell.exe 24 7->15         started        17 13 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 8 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 21:28:11 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywuc3banqzpktupsrrovrjtw2r6xnxtuno7353h5avu7tlshnp7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3
AgentTesla
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
AgentTesla
3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337
AgentTesla
4107ae832e2a94dd12c11823472aba013b3d016efbc357526152a2e0d2d3ca88
AgentTesla
4a4f7d774032e80c392ff7fe598a05736cf4f71dc0dcf5616ce980f9cbb598ae
AgentTesla
4bdce1c0f19e06fe3011983fd12202ca87b82016cf29422554ec1687e0ff377f
AgentTesla
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
AgentTesla
6b5ade8c20a7aa1d53ae922e4e473b254a81e61055296736ab0d82f8a743203d
AgentTesla
cc87cc3cff16721cb3f7e6be1e5be62bcdacafd1fa70ec879c6a9c12a9b438bb
AgentTesla
f974f658397b27bbc57a78873cfbebe57a8ff2742fc9b8bc4a69bc6736625099
AgentTesla
+ 432 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201010-7tns47dxke/
Unpacked files
SH256 hash:
c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff
MD5 hash:
5a52f658d7ac037dbf02a51f84bb41fb
SHA1 hash:
36bde31dc097245915cd48f5f364126fbe8a2da0
Link:
https://www.unpac.me/results/7f91c7bb-f177-4d49-820f-74ed6d4ca099/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/7f91c7bb-f177-4d49-820f-74ed6d4ca099/
SH256 hash:
aa2a5aab24f331b6157e5d575b60a006f0f48bac8776208dacf1252e25677f7b
MD5 hash:
303f77d522f1632b9c541c42da06d166
SHA1 hash:
aabb983aa58225df3433edf0215741bdc22174fb
Link:
https://www.unpac.me/results/7f91c7bb-f177-4d49-820f-74ed6d4ca099/
SH256 hash:
98b292e71912ddabdd70fccaa24b745c2a4733e3de148b746fa8df7d121d7763
MD5 hash:
1b2de0c65204a08ee0349c1f93aae34d
SHA1 hash:
dbae2ddcd6ef2a192eca699b5c172468200ff247
Link:
https://www.unpac.me/results/7f91c7bb-f177-4d49-820f-74ed6d4ca099/
SH256 hash:
f7a51107e5e68511046a9e2754185e362cb539cfb78dcf5a9d3671ca8f9792f2
MD5 hash:
9ca02cc0050806399b8ec6c1bdaf69a5
SHA1 hash:
e2108cdab6a78d5f0152394cb5b673eed8c7b349
Link:
https://www.unpac.me/results/7f91c7bb-f177-4d49-820f-74ed6d4ca099/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c1758a3fb8e5920928e6d1516ea66f02187876d99efabe7e74ea32284a1b6d11

AgentTesla

Executable exe c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff

(this sample)

  
Dropped by
MD5 7954c58bbdd4af32f53cd826de090e54
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69718/
  
Dropped by
SHA256 c1758a3fb8e5920928e6d1516ea66f02187876d99efabe7e74ea32284a1b6d11

Comments