MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d5733b86891cf1507cbbc97b0cef0280175d40bf946eea3d302ec19d6ed38369. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 13
| SHA256 hash: | d5733b86891cf1507cbbc97b0cef0280175d40bf946eea3d302ec19d6ed38369 |
|---|---|
| SHA3-384 hash: | 317c8e61142d22df0b3e41eaca6373cc38b97dbf799e9ffe47be9e881f8f031463114cbced01771e114d70bba1cf8fb5 |
| SHA1 hash: | 3cd6d04fc855d0363552c2819b5494c3099256dc |
| MD5 hash: | ea2d5c4a8b18baa2b176bcf1081ed78f |
| humanhash: | dakota-berlin-neptune-beryllium |
| File name: | Purchase Order.5643.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 1'613'312 bytes |
| First seen: | 2024-01-18 07:41:45 UTC |
| Last seen: | 2024-01-18 09:42:14 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 24576:aWaS+JEfphxW553sSntC6s+6qbU0saooQaPSMdLAWqY8fWFEIJ3VUPvymws5IgZs:WS+axysYC6syUkoPaPS2AJNyxUP+Mk |
| Threatray | 5 similar samples on MalwareBazaar |
| TLSH | T11475122463E94B06E5BA6BF41824505047B57B49EC66D74CBEC130CE9A73F0AEB31E63 |
| TrID | 35.4% (.EXE) Win64 Executable (generic) (10523/12/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 6.9% (.ICL) Windows Icons Library (generic) (2059/9) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| Reporter |  lowmal3 |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
324
Origin country :
DEVendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
10/10
Confidence:
89%
Tags:
masquerade packed stealer
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Verdict:
Malicious
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains a domain name check
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Score:
98%
Verdict:
Malware
File Type:
PE
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2024-01-18 06:05:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
17 of 38 (44.74%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
b4f6305dc8f1a4eebfa25b478650e47edd41e2404016391f3391ac506813eea4
MD5 hash:
ab741b53c3acc93736438446c72d1a52
SHA1 hash:
febfe36e5098a6de3660687cf0f61b5ad4be16d5
SH256 hash:
c34c560c5e37e0e5f166c0e1428ec4bfaafda5824ac234b1feef2d7e2d0acfce
MD5 hash:
87355fdc93c81700d5c5628ec70ee851
SHA1 hash:
ab9578763963073ae6f29a4f9e7863b9c583766c
SH256 hash:
7068b4c4a494a22a9870a18d051ebfffad06b7b08386e948447870a0327631ea
MD5 hash:
06d47a210dfea06eab38067c9e64bbbd
SHA1 hash:
fa202a70637cd0b495d99f80f57e82729b624bb6
SH256 hash:
a210ff1aea21263c925cfc782c348532ec7a16880588f7d3691ec06285236963
MD5 hash:
d5d63cfae3da6931ff2aa8f312332af7
SHA1 hash:
e8ea638e0f65974621c7015aa4345e8ee0e9d849
SH256 hash:
3f2509761d109a66da1003e605b13f8328da2a066382f2bbca9308eb6d877c66
MD5 hash:
5a331e780945a2cc2316420b5b6360e9
SHA1 hash:
ca938238538284942b6f661ba44149f5f2448261
SH256 hash:
156e63bb526b8a6babe84e34e5209bc72f54507fb9b5bd21f7dcffe059b41aa2
MD5 hash:
63e7070a898780dfd3139ef69a35516f
SHA1 hash:
c5a13a1d423250682da22caf389906274b15bedf
SH256 hash:
d602a3aa3ae9f6cbd33f2bda963729110fd2d9095dd23073580ffaca35ee8b9d
MD5 hash:
3a1f75ce52fcbe2306b4af6063c0cfc5
SHA1 hash:
c573caefd70176ce5508187337387b67a9fdb069
SH256 hash:
9aad2e2e0384ff11a22472a4fe3d401b47e43d33433915a047eeefc11d8d75e0
MD5 hash:
908a1ed12af825b51508897922b09b35
SHA1 hash:
c15df5b51b226ceefa98f528f106ae76ab171d97
SH256 hash:
c285a8e4560a93d62d6154c1dd67b0b7e940350ed49e1e3b243e7ca2d81e6161
MD5 hash:
d26e0ab45203ab5f16350e052a2e9eb4
SHA1 hash:
bcc48eb0ff7bf3cbb6698fdd9dbf305cde5fe2c0
SH256 hash:
d92ccf33cc210506dda5fd6999d272fbc0f9f6c38fd7000a2f0570aaae678efc
MD5 hash:
4548b9ba3436cbf013f6ee610edba0ca
SHA1 hash:
b2d840e8d5742775fd0a37183ff899dacd53ccdb
SH256 hash:
52261fb03bb2abd6cfea4141056ed7147b84635ec779f70f444d4e9ac46988b6
MD5 hash:
4c29323c1954248af15c3986b9d65073
SHA1 hash:
b10abcbbcded1411b8d426b6b93ad71170f702c8
SH256 hash:
40b839a34a61b59e276bd94661ecf79002cb9c0873533764e49c516d6228ab4d
MD5 hash:
8321d15f4d6a89612802c4bb73a8cc35
SHA1 hash:
ad28ab89b578e2829987e109e705cb4b12d41936
SH256 hash:
a69255e2241e203ccab43c5cd060c1a400c3bfe706b879dabe2292f2613f8ecf
MD5 hash:
bba85c386ba4e88dcf79905c82e17792
SHA1 hash:
aa7dd244e2b7d7dc709d1b484212b81d70268dda
SH256 hash:
37caab8e1584324fd8cd6e903655f98f2b762cc0cd0f4ab73335468b5e1b8cb2
MD5 hash:
1d9703167ace22a0d24b93949d55d59c
SHA1 hash:
a88b9dfac048e5b606bd939114f9a50c6feb8bd9
SH256 hash:
e8c4a681ae34e50afd2277ccea2aea2e88c70cd9ac7dc58b186fe54406c2f217
MD5 hash:
811cbd6f3438594b1742ec77e83c3933
SHA1 hash:
9a69229b93265f099a3b0e4f497fcba5fe0c7f56
SH256 hash:
ec613a145d2329e53fde1c449a990078b162545fed27cbbbadae9518f3b9cb7f
MD5 hash:
ad5557b2a5c64f539a07198f21a43208
SHA1 hash:
97b6f67f7ccf4afad83fcbbabdf9010490e53979
SH256 hash:
e0dfa43b7f61ee59e2a1dbb3b038f9b69cfb3d1585ab91c53a66829303140e78
MD5 hash:
2d36e49190bfd5f4c6eaa7cd9abba485
SHA1 hash:
95b52dc554e193589b0cdce0780904da4f8334a5
SH256 hash:
4c9f147c6208a0f5511ba6fe02af74195b5c77a5909a5ddcff4c3ed6234f8856
MD5 hash:
2318949ddfa444080270066f02f44bbf
SHA1 hash:
92f40e4f42b5012d8d44dbd3cbde25a37f5a5b59
SH256 hash:
a9c5e9aa0f0cd1ed1f6e277eaeacbe2aca45451384fd6eacd7a53b00a21185da
MD5 hash:
ee626d606fc8680dfe0069a8139ba7e1
SHA1 hash:
901e8006ebee663a2d58719a234b901e6d45e454
SH256 hash:
370c4364ff671a2c6e872129ce91c6916be80277187efc4b75bf0ea14c42b20b
MD5 hash:
82af01e49df0079fc97bf8324e8583d5
SHA1 hash:
6da1132d48e4ac462f1426e4a855ff5b54f4a97d
SH256 hash:
b3798f433ba329b487072fc642ea468dfcba1be869bd07a650764597ab49c4a9
MD5 hash:
1388fc1ced1035ad173daec057d470a3
SHA1 hash:
6cfd8eb5bf44e534506983801a72c26e9ecc2fff
SH256 hash:
e7b2bb040778e6d9cfdef908cc168a7ff11f81a5c4be5184b1cbae191a238c3c
MD5 hash:
9dc008ffc79edb3aed32739c4a8a3995
SHA1 hash:
5cbc87c6582ed6ab7a283e08c814e3644ef118b0
SH256 hash:
db0767d616929527cd6927a892216ff1009bc32fa8b5fde7b1baf7e3d66b1987
MD5 hash:
38a298df290e9e0749a024da45bc80a6
SHA1 hash:
5b21537749bd79cb4e7e4f416f5597fe18e3a5f0
SH256 hash:
165451590297982fb46fccd4881a7db9cb42ed9d44f947753ef81009c969db73
MD5 hash:
96c59e8ba5cfcdcf6705c133ee85346f
SHA1 hash:
5a37e74a50daf6069c87e648a43d7175849ce5aa
SH256 hash:
cbcad59994e9a41f6c3b7a061ccbe2f0310303e4efd918f27a8212b529dff8de
MD5 hash:
8b3ca551e9897a65377056a10c1d666e
SHA1 hash:
4d111c44be160afb5377c70e82912e18e5d2e33e
SH256 hash:
51dfa47445b914affb964225308b5158ac9409259f319b14b052ae56dc28397e
MD5 hash:
a474582508f7a0a3996a2096467f6dad
SHA1 hash:
46f5c1cec4131146ed03f4ade3cdec04c1874584
SH256 hash:
bb26278833ade51c8e31d86fa48693655e182142a688398db372537d57d28a87
MD5 hash:
116932b4f23c4bc0b54a4f7297d48623
SHA1 hash:
45194c1e329d298850fd1d6f38115ba8ca4cc9c6
SH256 hash:
149c412e982a74e7340c46458e1c0df4bc979ad82cf533288274c8e7309ee104
MD5 hash:
a28438410a26d3146bfbcf65a8f96820
SHA1 hash:
3f7e6560316ac3313dd30c1573a86b61d66b22e7
SH256 hash:
b7364075e56c85de4ea38ce9093ca8eb27d55b61d3c0f32675eb3790d209bfbf
MD5 hash:
d5132e3d5df5bf01827b0e81e7713251
SHA1 hash:
31938efbefbea750f48d2fa06fc283b969c1db06
SH256 hash:
487cffc8f6c9c5ebdd731a62b09f9d8ba42e6282bcfb231f066edc4fee9cc3a8
MD5 hash:
7b8a73c89953a395af3c80935d5d738e
SHA1 hash:
1ef0fc16621b572b00e3dbbc118f8136474e8020
SH256 hash:
d5733b86891cf1507cbbc97b0cef0280175d40bf946eea3d302ec19d6ed38369
MD5 hash:
ea2d5c4a8b18baa2b176bcf1081ed78f
SHA1 hash:
3cd6d04fc855d0363552c2819b5494c3099256dc
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.