MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532
SHA3-384 hash:	68a86dda82dcb52bbadfd1f281f43c2cf404510987fd21bac9afaf1fb993e9b5b4bea92fa59e7fcbc79abede060a5258
SHA1 hash:	31a6f0e2ac4e4e44795991b9ae5de3ac21f3c66a
MD5 hash:	87bcb7dc95d3d9ddf01fb453b3e96824
humanhash:	black-diet-fourteen-triple
File name:	1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'076'224 bytes
First seen:	2023-01-06 13:08:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:nt2iN1/Sr+peUv5KDl+mX/bMh2O5jCaCMJaBc4rCeijhJ0KSl+jO3H8c+9eFf+mu:nt1e+lgRTMhh3CMJaNmei9UsjO3H80
TLSH	T15135481353C4D513E4620A3B5587EE8740A0DE4F7EA2DB6C662BF93BF7F06826980D16
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532

Verdict:

Malicious activity

Analysis date:

2023-01-06 13:09:22 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/f5db1de0-7258-409f-b101-d36ae9b3381e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/350056/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63b81d6fbf1064ac5b2ddace/reports/4cc529d3-761b-4b1d-8ce9-579478bcbe1a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f30a6612-b34b-410d-bc30-f541d7f5f78a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1146322

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2022-12-22 04:59:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=djj4mroyutpx63gxs22cmujp6j6lwqeyrnzsjdtp5ofiusmlsuza._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230106-qdr79sca8t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5940813834:AAF8mKehOQ2jtgluy4NISP8DYRvxgz__xCQ/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/578f3955-119a-4c78-bb4f-dc984e54919f

Unpacked files

SH256 hash:

fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa

MD5 hash:

6c3fdb2b5d93cf814ea1b6ca05a0efcf

SHA1 hash:

f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5

Link:

https://www.unpac.me/results/1744b99a-7038-4080-8ca2-90d879fdeaa0/

SH256 hash:

d770dae2ad91ee53eab1006af188592e9d195e5e938234b96eb15b627c9dbe70

MD5 hash:

b1cc26037ee03079352896a4a4be1736

SHA1 hash:

97e298a91b6a0c2b3670be4b23cd1c0b3d399b8e

Link:

https://www.unpac.me/results/1744b99a-7038-4080-8ca2-90d879fdeaa0/

SH256 hash:

0e547c37f8e54dac872313c0bf8843ee9f49581212e8a56e116e19b15d24ab93

MD5 hash:

cb2b776adddef77d0d8643f38db7c143

SHA1 hash:

95d63b9dc0ab51dcb68794d3771c1db2ac681dc1

Detections:

AgentTesla

Link:

https://www.unpac.me/results/1744b99a-7038-4080-8ca2-90d879fdeaa0/

Parent samples :

1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532
cd96c879ce3a8b24fa5d021d0c296565806a4a98e75d90e8141943afbf517f66
20058a37a0cf3a42e99855994c9aa149b862e3ced83d64d491ee5dc2ddd4f942
18581776643e7ff918c5d6f8217e33b3ec7afe8c3df566a8d92833befb6e20b8
0136b412091dcc7ab89465b919f8b2efa89b23050345f6fefe6eedbf60d393c4

SH256 hash:

9e61af3b14ef8ca4f77cb66c229b96d3e44cd444d81b5834c26fc5ac3d3dcb8d

MD5 hash:

0e42b91be4c49b14df3e46d84d11868a

SHA1 hash:

24876ab6975e4de01cdbfbed6ca087adcbe80a07

Link:

https://www.unpac.me/results/1744b99a-7038-4080-8ca2-90d879fdeaa0/

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/1744b99a-7038-4080-8ca2-90d879fdeaa0/

SH256 hash:

1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532

MD5 hash:

87bcb7dc95d3d9ddf01fb453b3e96824

SHA1 hash:

31a6f0e2ac4e4e44795991b9ae5de3ac21f3c66a

Link:

https://www.unpac.me/results/1744b99a-7038-4080-8ca2-90d879fdeaa0/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a53c645d8a4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/1a53c645d8a4df7f6cd796b426512ff27cbb40988b73248e6feb8a8a498b9532

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/350056/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample