MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 052be6614bcd306afd888e6c858ea8530c22efd7dec64ea63dd15e2ca7448288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 052be6614bcd306afd888e6c858ea8530c22efd7dec64ea63dd15e2ca7448288
SHA3-384 hash: 522fc39a37ebc6e12cf9b40400634ec43fd3c87e85ec6f6aaa1825f4ecfaa2e835118a5535db5e89c29cbe8addd08a99
SHA1 hash: 1e355ff2707a72e3110e21cbac81edbfa7f42c5c
MD5 hash: 20165c7aec419c5a32d5be17e141e4eb
humanhash: lake-island-undress-lemon
File name:documentos DHL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'106'944 bytes
First seen:2022-10-13 11:42:29 UTC
Last seen:2022-10-13 13:06:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ss9Ux0zPOM1zDyf1Zsogsemj0YMmPCLDtSNFM7UNhHjs/oQauc7QNK6qn03b0str:ssWCzPX5S1ZReVmqV4H
Threatray 20'911 similar samples on MalwareBazaar
TLSH T167354BB93191658FC816B431C887DDB36AF66D616217D1C395D31FAFBC0C0BBDA122A2
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:AgentTesla DHL exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319891/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.10144.18938.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6347f9c65cada2cbc6ebea14/reports/cb7be5e4-84b6-468a-ac71-5e1d08bd18a7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27e41d9e-3289-43df-87a2-4a6b313d392e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089780
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/052be6614bcd306afd888e6c858ea8530c22efd7dec64ea63dd15e2ca7448288/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 10:54:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=auv6myklzuygv7mirzwildvikmgcf36x33de5jr52fpczj2eqkea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28da60731bf188ed0779397f5109e2e5e9c70f64fb11a308969785016319ad76
AgentTesla
64dc20de06878b88c91f6bd86256d4724418b7f6483ebd69247e6b1bd3f6c04f
AgentTesla
6b4ae1bde5c68bdc96647dc1154eeea23eda290a970f8ddd9991a67337ab3689
AgentTesla
992ef31d0937e712c7b63d22049edfc0cf2cf4759dad91a93433bc935baeb19c
AgentTesla
b5de0c74c3c5e35b578d47b4e146d338982940f8bd0f213bc5548143db78079d
AgentTesla
c35a61b25b49b161c30a7d7dfed70a1a89ae5de7366ef59490946bbd81133b22
AgentTesla
+ 20'901 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221013-nvj7wacff5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5602029085:AAFvn75Mp1svMCWUwUeCjs79BAxe2GT8zus/
Unpacked files
SH256 hash:
35b4b290f5f29713c8b7fab322c17ddff796371a4cf4795f87e5448c2f44d9a0
MD5 hash:
22c52e4a7d10c9acabb19c8a5833b60a
SHA1 hash:
f16aed88146db37f8c7fcb9ef7295ae61175ff5c
Link:
https://www.unpac.me/results/359a6b17-2ea5-418a-923b-1c532eadce88/
SH256 hash:
992283010b62dc995e110887eede723b0ff993f868695b6438c30f564797e773
MD5 hash:
79e43f872bf069b67ec16369ff05f63d
SHA1 hash:
65220a597ccc08aba0ee8f52352ac60b473c261f
Link:
https://www.unpac.me/results/359a6b17-2ea5-418a-923b-1c532eadce88/
SH256 hash:
f7c38676ea55820758456829bfe2da8146bc6cea85914937489b8da8cacd4cc0
MD5 hash:
e46e25ec9fda3a98b23f005a7c29cc78
SHA1 hash:
4829d8dea006a649e5da318d734195fcde27328b
Link:
https://www.unpac.me/results/359a6b17-2ea5-418a-923b-1c532eadce88/
SH256 hash:
83bb8fb6ba4f90877cdd077f4fff68e0bd9472239613817f6524c804ebdcd97e
MD5 hash:
42be76abe20bb45d468061c4cb591334
SHA1 hash:
2a70c0736166aba5a96522876be43a5c659e79a9
Link:
https://www.unpac.me/results/359a6b17-2ea5-418a-923b-1c532eadce88/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/359a6b17-2ea5-418a-923b-1c532eadce88/
SH256 hash:
052be6614bcd306afd888e6c858ea8530c22efd7dec64ea63dd15e2ca7448288
MD5 hash:
20165c7aec419c5a32d5be17e141e4eb
SHA1 hash:
1e355ff2707a72e3110e21cbac81edbfa7f42c5c
Link:
https://www.unpac.me/results/359a6b17-2ea5-418a-923b-1c532eadce88/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/052be6614bcd306afd888e6c858ea8530c22efd7dec64ea63dd15e2ca7448288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319891/

Comments