MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e9d940acb96f85e1adb23b7ba12ef45487b995e304f3b2a5b577b4b37d52fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5e9d940acb96f85e1adb23b7ba12ef45487b995e304f3b2a5b577b4b37d52fd
SHA3-384 hash: f8b7f1b59a978c7cec36b77d314f5d053b0d141abd4c5e76993572f5a59a217b5c049db44fd5b8e80f1a1a343273aed9
SHA1 hash: 0cacfc7662d0c5d84317f214cd90d6170a1d291c
MD5 hash: ae9e5015de3a59abc45ba174db8afe59
humanhash: harry-sierra-happy-potato
File name:Proforma Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:667'648 bytes
First seen:2020-10-06 12:03:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0eulU5dOqCuwfh0H/NPo9d+TEfAENT6xk6ZwonS7sZdSS8Y1BGBDFgY3WV:L5cVuwfhso9sTEfAST6yqBdZc1FDM
Threatray 370 similar samples on MalwareBazaar
TLSH 4DE4BD003EE65F16C4FB97F81C986C304BB8B1D7A976E33D6EC490E929A57504D2B60B
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68576/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482721
Signature
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5e9d940acb96f85e1adb23b7ba12ef45487b995e304f3b2a5b577b4b37d52fd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 08:36:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xu5sqfmxfxylynnwi5xxijo6rkipomv4mcphmvfwv33jm35kl6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19ba233cbdf877627f6fdf82a471ced4c656ebab7a7205df943375d3ee12f746
AgentTesla
2408f4144f6b51601965eef8aaf6d78400e34e6599e59801dc6b5e48d385a077
AgentTesla
31965200cd068b9a5d9a8841c71c7745eb5e6ceeecc5d613db7a34c74950b029
AgentTesla
38ad7c6561e218160a0563cd037e4b55540f43d759e79183c189d223cc9fcde3
AgentTesla
3bd7b6261362b1891ea51a8516568d65cae3b59b6d4677cef8ad5d6eb1b2c600
AgentTesla
51497017e375de40bb058afb7ceb64a55769deb1ca83fff8fdb00862278660d5
AgentTesla
68a2e4d305b0efaf19d4a4618b2e043a0b67edc0848936a8c74d90ab22474980
AgentTesla
82e83d252610457f622c416ff561c954243eac2f0eac248cf483756c138573c5
AgentTesla
89f91033dc7748546044063944fadff99166213f894dac590e3705b6fb987c65
AgentTesla
9487b74400929b49dacce8735bc1b6fe790e048d037fcae9d4ce1f48668503ad
AgentTesla
+ 360 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201006-ya3a6lr2v2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d5e9d940acb96f85e1adb23b7ba12ef45487b995e304f3b2a5b577b4b37d52fd
MD5 hash:
ae9e5015de3a59abc45ba174db8afe59
SHA1 hash:
0cacfc7662d0c5d84317f214cd90d6170a1d291c
Link:
https://www.unpac.me/results/dd23b596-cec6-4858-aa3d-871a386a76b3/
SH256 hash:
c225c66f0951661d89ba45d5fcd8525b171e45a306b8d7c5a294ab26ffaf7819
MD5 hash:
3a03f32a352e1f01bce6f3413806aa2c
SHA1 hash:
41a82c4ca907c6b5436df17ad124913468d0390b
Link:
https://www.unpac.me/results/dd23b596-cec6-4858-aa3d-871a386a76b3/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/dd23b596-cec6-4858-aa3d-871a386a76b3/
SH256 hash:
1c797c2c55c401c02a210bde3a95093db8ef2b58d119bf4eea0285566bffab77
MD5 hash:
133bcbd8191dda3ebde61dcaea663a97
SHA1 hash:
92aa4204df4747715136b81a4bdb05de0de01ae0
Link:
https://www.unpac.me/results/dd23b596-cec6-4858-aa3d-871a386a76b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5e9d940acb96f85e1adb23b7ba12ef45487b995e304f3b2a5b577b4b37d52fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz a2ab266f3224c6cc6403b5bb6f89ce0d537f426973008abea16ae918db0758de

AgentTesla

Executable exe d5e9d940acb96f85e1adb23b7ba12ef45487b995e304f3b2a5b577b4b37d52fd

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a2ab266f3224c6cc6403b5bb6f89ce0d537f426973008abea16ae918db0758de
Cape
Cape
https://www.capesandbox.com/analysis/68576/

Comments