MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 053db2d3b7df1490f84781536a2d0e66cc920b4ccdbfcc510c39a9661915f992. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	053db2d3b7df1490f84781536a2d0e66cc920b4ccdbfcc510c39a9661915f992
SHA3-384 hash:	9737bd5e1ce6cf8f66749a5ec694a7cf6e1b0152f3f36a05c0b702a4558941602ac0bdde14c4b897408c2faa69a0a391
SHA1 hash:	493c6d1050ce0ea2603fcc369a2295252904c247
MD5 hash:	d5cc39b9435285a5712f6c0f4204e23c
humanhash:	quebec-fanta-winner-nitrogen
File name:	053db2d3b7df1490f84781536a2d0e66cc920b4ccdbfcc510c39a9661915f992
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	83'886'080 bytes
First seen:	2025-03-07 14:23:32 UTC
Last seen:	2025-03-07 16:00:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'654 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	12288:ykr3u7W7XlCRoYsV9xHhwY+bICjtpXc9RX7dwLTWdcJ4Qvhe9yIK/Wdk:N3uSSoYcxBH+jHXCvwLQcJ3v4yIF
Threatray	3'501 similar samples on MalwareBazaar
TLSH	T1CE0801181318CA03C69E0779C5F1E2745BFD8DDBB582F356AADDAEEF7496B5018020A3
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	b0b268e8ccd486a2 (11 x Formbook, 5 x SnakeKeylogger, 3 x MassLogger)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

509

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

053db2d3b7df1490f84781536a2d0e66cc920b4ccdbfcc510c39a9661915f992

Verdict:

Malicious activity

Analysis date:

2025-03-07 13:00:32 UTC

Tags:

evasion stealer ftp agenttesla exfiltration

Link:

https://app.any.run/tasks/51d53662-a531-4aa7-9428-a88cbb546002

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67caee01c8d04e92a4bfb202

Tags:

lien msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Searching for synchronization primitives

Creating a window

Launching a service

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/67cb01974a3011c802ca5c93/reports/cfe94622-b50a-49e6-b243-b27ee596153c/overview

Verdict:

Malicious

Labled as:

Trojan.GenericS

Link:

https://www.hybrid-analysis.com/sample/053db2d3b7df1490f84781536a2d0e66cc920b4ccdbfcc510c39a9661915f992

Result

Verdict:

MALICIOUS

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1631841

Signature

.NET source code contains potential unpacker

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/053db2d3b7df1490f84781536a2d0e66cc920b4ccdbfcc510c39a9661915f992

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2025-02-27 01:22:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=au63fu5x34kjb6chqfjwuliom3gjec2mzw74yuimhguwmgiv7gja._file

Verdict:

malicious

Label(s):

unc_loader_037

agenttesla

AgentTesla

7fdbb9aa555c42d32185cbdc7059b1523278212d0afb365c6d81abcbc545d047

AgentTesla

b51868a125a577733f6208c4f11c8887aca278b339abe7f62fe2a4808a8399aa

AgentTesla

ca763bc6524433635d6e783c01d6eaac6e7afcefab82124d0fd98715e1d982cc

AgentTesla

error

AgentTesla

fffcac101917438d0e914c5967ce1fec5dea4a776965b7740c7f45ec91480c37

AgentTesla

+ 3'491 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250307-rqt33aslt5/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/f44cbb8e-14b5-435c-9d30-7a68aeaf2a86

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/053db2d3b7df/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample