MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef5d7a378453ec390085e7c3f0e1f258fa2bc985f686a35e7d518acaa8ab68c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef5d7a378453ec390085e7c3f0e1f258fa2bc985f686a35e7d518acaa8ab68c5
SHA3-384 hash: 33a4dde9264eedd630f003e8dc337dadbea3d3e5ac875c1e34c8e540655e0bc2b4ed1bb1bf60691075234efeafdf9622
SHA1 hash: ba95d3c54c7786c2956fde16b2a817de1e631308
MD5 hash: d801914002da34722a59d67fb266a799
humanhash: yellow-bravo-bacon-seven
File name:ef5d7a378453ec390085e7c3f0e1f258fa2bc985f686a35e7d518acaa8ab68c5
Download: download sample
Signature AgentTesla
Create hunting rule
File size:650'240 bytes
First seen:2022-08-05 08:55:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KW831hIsE7GUSQfG++Z0wIGixzBlZwoxkG08G2Mxq+8ZxUr:BQRE7GU9Jr9lZwoxkx2MGxUr
Threatray 18'654 similar samples on MalwareBazaar
TLSH T17AD4F000327DAB92C47D87FE64A1A08543F6271FB52DE75A4DD2B4DF2A7AF150A40E0B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b271c0cccccc61b2 (16 x AgentTesla, 8 x Loki, 8 x SnakeKeylogger)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ef5d7a378453ec390085e7c3f0e1f258fa2bc985f686a35e7d518acaa8ab68c5
Verdict:
Malicious activity
Analysis date:
2022-08-05 08:55:48 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/1ea14cd2-5fde-46ac-903d-d593b8c8b86d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296611/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44349.11880.14868-222265.UNOFFICIAL
Create hunting rule

Win.Dropper.Nanocore-9958488-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62ecdb265c07b66577fe2c76/reports/82fb6f8c-0abd-4e08-8eea-14ad34b35f3c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/415995df-175b-4c9f-9b7d-3b5dfea04556
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046653
Signature
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef5d7a378453ec390085e7c3f0e1f258fa2bc985f686a35e7d518acaa8ab68c5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 08:39:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=55oxun4ekpwdsaef47b7bypsld5cxsmf62dkgxt5kgfmvkflndcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2963fae285ad4e068f814701bcc9548be14a8ce28824e86cb59a89435d224fa3
AgentTesla
3e927ea7d9e59f48ac8dae514c97f80678cd412e82be06078c1be661eec15e49
AgentTesla
528e22ad9e4a5b5586b099f641cf323012fbef05531ab6b08136b5413cff9a75
AgentTesla
54d48500414b67ed625499d5d6e77230e4e460622d96d5d333a32aea4573ca9e
AgentTesla
9bada767c10c932126025f285f82aa13cefe16334ddc888ffdacc68ea90ea2b0
AgentTesla
ca4c05a15743b025ce6b1e8b27cabcff79737838b7c972e0ceaefcb98f702d89
AgentTesla
f358dd5247bd06944dd05a9dfd1688a480697c4d18e2660e5bf41ead6a566212
AgentTesla
+ 18'644 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220805-kv1yvahdf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5569258287:AAE8No64yGhQk8i1FTouXIrVCiNf0VgntYI/sendDocument
Unpacked files
SH256 hash:
dae82a241060163074de8b1ab3b3553fd58817c67fbf72979e49b0a6704e8f6e
MD5 hash:
b752d97a3c737efff771da6d28bdc601
SHA1 hash:
f75b77b9230db95de8571eefcaa6e9b6c517725a
Link:
https://www.unpac.me/results/1c00a48e-ac62-4644-89cd-85b0228ef1f4/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/1c00a48e-ac62-4644-89cd-85b0228ef1f4/
SH256 hash:
208f2f4ac901f9f5a8d9fc5b2240455f6d40dfddb5b3169ec6f27a1937cd69f8
MD5 hash:
2fa87ffbe472ee5eabdfee222e5c4852
SHA1 hash:
a9ad502288bc0c27c11b330d9bb10a5a79d25eb5
Link:
https://www.unpac.me/results/1c00a48e-ac62-4644-89cd-85b0228ef1f4/
Parent samples :
b861c4b970f924a31c68e4b1dbab9d5d5fceb2424a13241488d5daf11d0b773f
7beb725e0552ba0b4d2b4ab2f509e3042fd9b91fb3dc941c6b38c937847b6dcc
5c9c51f336a4f92821219c73a99bd5c7e4bc749967e95745b12af9c25285b314
4a61ccfd8a35a2d1b270bd04182b50e200fcf9f145700b109943999b3c32142b
SH256 hash:
ca4e3745f87ae419e10fa9dd15e9814f66a7dca601ae70bd3ae3b0b0781e9491
MD5 hash:
6491ab64072f34a6124f4cdf1d9bdd43
SHA1 hash:
78008e0c188d1732ebb5bbfe6d15892ebe32b1f7
Link:
https://www.unpac.me/results/1c00a48e-ac62-4644-89cd-85b0228ef1f4/
SH256 hash:
ec640bdfb5df7d263ef475e13599b8008c72f808a15324d632c386785417071d
MD5 hash:
2c4cbab8cdfd38e68390b8357c74e56c
SHA1 hash:
5c48a65ac54b455b07fcd536ccf87d78c5cb9fc0
Link:
https://www.unpac.me/results/1c00a48e-ac62-4644-89cd-85b0228ef1f4/
SH256 hash:
ef5d7a378453ec390085e7c3f0e1f258fa2bc985f686a35e7d518acaa8ab68c5
MD5 hash:
d801914002da34722a59d67fb266a799
SHA1 hash:
ba95d3c54c7786c2956fde16b2a817de1e631308
Link:
https://www.unpac.me/results/1c00a48e-ac62-4644-89cd-85b0228ef1f4/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef5d7a378453/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef5d7a378453ec390085e7c3f0e1f258fa2bc985f686a35e7d518acaa8ab68c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296611/

Comments