MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0c5ea35abfdcdb2308311ff102c729fc064bd53703d5876f81eceff098d5336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0c5ea35abfdcdb2308311ff102c729fc064bd53703d5876f81eceff098d5336
SHA3-384 hash: 8883daf32681f1c1e5fe4aa21286d52cc08838b19170144540680b8772d8c8206f1c081465136955329b949c15336393
SHA1 hash: 7f1eed5b73b7e79160cc42ce03e3cc13d6eaaaa3
MD5 hash: 3ad45628a2e74399b6d99eba89781b43
humanhash: seventeen-mirror-cold-early
File name:ORDER REQUEST.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:490'496 bytes
First seen:2021-01-19 07:34:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 616765ca1e3c367f5f3771d38d13b610 (7 x Loki, 4 x RemcosRAT, 4 x AgentTesla)
ssdeep 12288:Of9HmdvPKCevoclgvufLrnfD5S+jQJo8ZRffxtSf1E:q9G96vr5L7g+MJomfx1
Threatray 394 similar samples on MalwareBazaar
TLSH 0AA4E13175C1C032D07202B642B4E7A209BE7E325B7648CBAFEADC5D1EB51D1A72A753
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.skyboymailserver.com
Sending IP: 5.2.70.181
From: Mahrez Ergül <mahrezergul@mert-celik.com.tr>
Subject: FW: QUOTATION QUANTITY
Attachment: ORDER REQUEST.cab (contains "ORDER REQUEST.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER REQUEST.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 08:25:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3dad9a08-2aae-4427-b749-f1600e296355

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112796/
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584684
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0c5ea35abfdcdb2308311ff102c729fc064bd53703d5876f81eceff098d5336/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 07:34:40 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6dc6unnl7xg3emedch7raldst7agjpktoa6vq5xyd3hp6cmnkm3a._file
Verdict:
unknown
Similar samples:
2347a0e7713f626fa94f646b3a410e5262236f9af04219bb1263f4d9a054a3fe
AgentTesla
3da3d4d08d81e85337fcad590190b1575b80834e246012f3684ebe6d86118886
AgentTesla
43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6
AgentTesla
445e1ae4fb515ce4fca81255fc4f569ba238d2a7b3ba0c093f4d55bc8fa5ae08
AgentTesla
5119493c4011a4fb305bf5c909d783ded999159cbad7e26ec75862e6079a98d4
AgentTesla
86879b01844ab067722fd2ca12bf5a666136348ca9a7f72a33ca42d9707e84d0
AgentTesla
c2aa09fda8ed6089db384994dc58fe814ff5a725ea05cd1ccca910b0d901301a
AgentTesla
c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57
AgentTesla
f0a457ae5508abb5fe6b43b59a2b61df848e9a2ba8ab9a43f42ca65408a974fa
AgentTesla
f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11
AgentTesla
+ 384 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210119-hcvfh9mfzx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
041958088420d56c00a2008e1cf48d2b3262db83fa83d6d60768901046d762e6
MD5 hash:
1fd125cda377fabfc0661b8df5abd339
SHA1 hash:
e105b6828fec381bfec4b1fd1ab5987e455d7ede
Link:
https://www.unpac.me/results/aa37b297-447c-4277-ad7e-12a4c0a911b4/
SH256 hash:
3ea240e97ed61eded18a4fd94d44555128287003c6801afc9f9d413e6ef5ffe5
MD5 hash:
1e43f400c2b614545be90e0450cf0930
SHA1 hash:
1addd6a4b1f29e1382090acf5064c6d3331cf2c8
Link:
https://www.unpac.me/results/aa37b297-447c-4277-ad7e-12a4c0a911b4/
SH256 hash:
f0c5ea35abfdcdb2308311ff102c729fc064bd53703d5876f81eceff098d5336
MD5 hash:
3ad45628a2e74399b6d99eba89781b43
SHA1 hash:
7f1eed5b73b7e79160cc42ce03e3cc13d6eaaaa3
Link:
https://www.unpac.me/results/aa37b297-447c-4277-ad7e-12a4c0a911b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0c5ea35abfdcdb2308311ff102c729fc064bd53703d5876f81eceff098d5336

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 3e886f6450aa59e3e7e50bb043616b2d38eb2776d93b1da263da70657ea924ac

AgentTesla

Executable exe f0c5ea35abfdcdb2308311ff102c729fc064bd53703d5876f81eceff098d5336

(this sample)

  
Dropped by
MD5 5d22987a4b93a25aa99366843768287f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3e886f6450aa59e3e7e50bb043616b2d38eb2776d93b1da263da70657ea924ac
Cape
Cape
https://www.capesandbox.com/analysis/112796/

Comments