MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8
SHA3-384 hash: a0f0d84204a4c076468bd0e0c22db7cb30969339ca30a2b815a7d32c680b829660e8c046f3a0dea8f92dd0e41348f041
SHA1 hash: e249b9f9757a852c981943376cb1b1067170f6a6
MD5 hash: 5d766f42a531ffcd5dc28bb53aa241ba
humanhash: september-steak-fish-maryland
File name:831053927.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:380'635 bytes
First seen:2022-11-25 06:37:25 UTC
Last seen:2022-12-05 08:12:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn1x+Iern1T/hLTUvO6XqaV7Co73QDYAD8zRDJhquOFLEyNbamvSkRN8h2zz2M+:gxDMHTKTXbZ573QEeY9JkJlEyNbaBm8t
Threatray 20'055 similar samples on MalwareBazaar
TLSH T19E84234E71E2E0F7E6F227316D76962DD3B6670A02902F0B4F7D4DF59803AC7980625A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
831053927.exe
Verdict:
Malicious activity
Analysis date:
2022-11-25 06:39:03 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/1aba6afa-d7a5-4233-9688-d2cd41c88f9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338300/
Detection(s):
SecuriteInfo.com.FileRepMalware.13334.1283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/638062cc559d07a06f475547/reports/9a03307f-64c6-4328-bdee-b0adc8ab8f54/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fbbb0da-3aa5-413d-8cb8-518364e3b0b8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120893
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753610 Sample: 831053927.exe Startdate: 25/11/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AgentTesla 2->42 44 2 other signatures 2->44 8 831053927.exe 19 2->8         started        11 ywnveswjguxq.exe 1 2->11         started        process3 file4 34 C:\Users\user\AppData\Local\...\hjctkgqb.exe, PE32 8->34 dropped 14 hjctkgqb.exe 1 3 8->14         started        18 ywnveswjguxq.exe 1 8->18         started        46 Multi AV Scanner detection for dropped file 11->46 20 WerFault.exe 10 11->20         started        22 conhost.exe 11->22         started        signatures5 process6 file7 36 C:\Users\user\AppData\...\ywnveswjguxq.exe, PE32 14->36 dropped 48 Multi AV Scanner detection for dropped file 14->48 50 Detected unpacking (creates a PE file in dynamic memory) 14->50 52 Maps a DLL or memory area into another process 14->52 24 hjctkgqb.exe 2 14->24         started        26 conhost.exe 14->26         started        28 WerFault.exe 10 18->28         started        30 conhost.exe 18->30         started        signatures8 process9 process10 32 WerFault.exe 24 9 24->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 02:14:36 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xkoxqm5zmnim5v2crm2arqgww4u4pq2ak7rcoj4ddqjqdunul4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3315dba57b06d3e95fdab93ad09e5a67755b7ecf81274b0907cfe2e051e36b3b
AgentTesla
9956578575d6a02fe626c9eaf6e82e82da95e5d0fb3f67e3ad5c5c24633dca47
AgentTesla
9f660ff6e3caee11f67955164f6960a03343ab34ff7d234c004579aee754d9ce
AgentTesla
b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
AgentTesla
d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
AgentTesla
+ 20'045 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221125-hd24gacb31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7d1d0139-ff6e-4974-93a5-9228117da8d9
Unpacked files
SH256 hash:
ff776b65b3255be19bbe090c71212f12da972f45537802807de5dca1b451e24c
MD5 hash:
97e01fda31ffcc4b0b12444ba2d614dc
SHA1 hash:
b5687e88af828221e5aaced43df8849a0fbc612e
Link:
https://www.unpac.me/results/6555f5ea-8d83-4072-b580-f552af460a9c/
SH256 hash:
77923e240a26e27d50a833a13ff4558411b3fa0fe86f01afa19ac203733a9066
MD5 hash:
fdab23eeb384c83d0221f13670e65964
SHA1 hash:
00a1360fe86040dee1fd96be5630a912862e7a0d
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/6555f5ea-8d83-4072-b580-f552af460a9c/
SH256 hash:
fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
MD5 hash:
48638249924ba4b3620a082e39dee170
SHA1 hash:
8cbac55e61abd52ebe3810ddccdd5cb49b276808
Link:
https://www.unpac.me/results/6555f5ea-8d83-4072-b580-f552af460a9c/
SH256 hash:
f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8
MD5 hash:
5d766f42a531ffcd5dc28bb53aa241ba
SHA1 hash:
e249b9f9757a852c981943376cb1b1067170f6a6
Link:
https://www.unpac.me/results/6555f5ea-8d83-4072-b580-f552af460a9c/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5d4ebc19dcb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c09326c1955b5d98311bad052791337c5ab7a68de882b3d81fda171b79e9a23a

AgentTesla

Executable exe f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c09326c1955b5d98311bad052791337c5ab7a68de882b3d81fda171b79e9a23a
Cape
Cape
https://www.capesandbox.com/analysis/338300/
  
Dropped by
MD5 a38b32ba3c11a14ff3686178bb273d7a

Comments