MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65
SHA3-384 hash: 41ad03ddcad34ed0ed25ee92dbcebd1243ba549d0103b006cfd85d896bb74273ebc3054c64d91fa5d7373716626953fd
SHA1 hash: 2c0a6af1c9e485d218f3e88a09a716a4c773b0cb
MD5 hash: d5f01bf9c0eafcd005df159ccf815362
humanhash: victor-jersey-missouri-arkansas
File name:Payment Slip_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'012'736 bytes
First seen:2023-02-24 16:04:22 UTC
Last seen:2023-02-24 17:34:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:/rMRuQUaI64grZK0rB3s3WkwB7hH6qnonTYqTJXLTQU5yxJWeqOoEN0HbXb:zW4R0rBUWkSgT1JUxJXqVjbXb
Threatray 929 similar samples on MalwareBazaar
TLSH T1FE25CF48E770432ADB9BBE7A3510215F6AE1B9913720DBBDE7C931F492007B5E2844ED
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Slip_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-24 16:06:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9d68f87-8a83-40bd-acb2-be5abf318f24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369508/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f8e02f589e1e4c5bd8bc66/reports/cce3589a-4422-4342-b1c8-5172ea7225fe/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da4e28f6-f921-4197-8ad0-b166ccc63845
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1182014
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 16:05:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
17 of 25 (68.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yw6luayvkxkltkbvnnqg3ocxpuxgac2lxwsos4fu3i7cmnysh5sq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c
AgentTesla
18710be8e48b150038218c7bc797700c3fbcf34de3392bd0ca5fd337148220a8
AgentTesla
216509ca0f82c10daa1b7ea155f150766effa1270b1cc4d946f7b6d26851f092
AgentTesla
23b733b80abf2a3de431fdc75ec1ce480c4352a92c97d5dba57a3a45cb1030fe
AgentTesla
5b62fd08b3a979449bc21a217e7057e710e5a66ab1f4159a935db45629e24156
AgentTesla
883a76e3bd674d75abce5d85c78a92250b057e1cdf5c65aa80ca40ce9df5901a
AgentTesla
96c1f2e81dd6ac90324fe3eebbbd592670b5769adf64c8a73fb345d1749d4b02
AgentTesla
a67119e6131f2cf27b28044e3562d04abd86b62bcebbfa8ed7f4ecea90682f2d
AgentTesla
f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775
AgentTesla
+ 919 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230224-tjgv9shh76/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
66a6a545eb2fd1e70781ff5f25ced9a12c7e15c537035cfc2f9a2847e0745345
MD5 hash:
82370238a464416990d12f9fd6751b62
SHA1 hash:
c1dd3928061dbddf3b31a2154d3853b20e77714a
Link:
https://www.unpac.me/results/9ea677cc-856b-4748-9c1e-3b797d343c8b/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/9ea677cc-856b-4748-9c1e-3b797d343c8b/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
8bef0ec74b927ac081ee6de8852a0f6355e12f2fee84c559973143a440be6e83
MD5 hash:
5f722a6c12149fed72723488b5d960f8
SHA1 hash:
8e8379dff4eb546fec46811332af009bb972cbcf
Link:
https://www.unpac.me/results/9ea677cc-856b-4748-9c1e-3b797d343c8b/
SH256 hash:
dea2369b7d4c0bbad43ececcf9ba24cc7dc8e46c3de236b154cb9d5af0cbf5be
MD5 hash:
6336ffa05034538ea24a4bbd92249135
SHA1 hash:
7641540073babd9c68fd35144475bbeaaf637904
Link:
https://www.unpac.me/results/9ea677cc-856b-4748-9c1e-3b797d343c8b/
SH256 hash:
8d971b61833e54ca72599af00629ab8bdd180759a4958b6aca137df37581522c
MD5 hash:
aacc81487044c5118fddce45ce45dfa7
SHA1 hash:
19a81e2a38e7e42c8bd84563b0fe9ee3f580ddca
Link:
https://www.unpac.me/results/9ea677cc-856b-4748-9c1e-3b797d343c8b/
SH256 hash:
c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65
MD5 hash:
d5f01bf9c0eafcd005df159ccf815362
SHA1 hash:
2c0a6af1c9e485d218f3e88a09a716a4c773b0cb
Link:
https://www.unpac.me/results/9ea677cc-856b-4748-9c1e-3b797d343c8b/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5bcba031555/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/369508/

Comments