MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c
SHA3-384 hash: 76d91efb1b6b58dcd2d58693d6060af3ac0be4939776dd9f15397942083abc124a54ae6ff3b7b15b8de1f04651ab764e
SHA1 hash: 17f5fbc272b049416516488a86c230de0e0e2d3c
MD5 hash: 39ebd306efd6ea1a34963b00df18cfc3
humanhash: pennsylvania-ten-hamper-purple
File name:estatement_01022021.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:715'272 bytes
First seen:2024-02-25 21:01:15 UTC
Last seen:2024-02-27 12:59:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:t4dWQyiwWMo5EXnnzQaq1l+KUEV499dnKm67jcbAMPxLW71ZOI1g+1WuUkR:JQyiw7o5EXnnzHq1lj5V4Vj67jpMPxLK
TLSH T12AE4220233AD4156E2792D32A17D964207B3F7435DBACB9E68C8858D5FF1315AE83B43
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 3094f06869e8d4d4 (3 x AgentTesla)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
444
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477698/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6010.24178.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Setting a keyboard event handler
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd lolbin masquerade overlay packed
Link:
https://www.filescan.io/uploads/65dbaacb510063cea1782b29/reports/915e8c35-207b-4f25-ba1f-36cdc6dd2a1b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf2fac0e-8377-487b-8180-21d52963a593
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1398434
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1398434 Sample: estatement_01022021.pdf.exe Startdate: 25/02/2024 Architecture: WINDOWS Score: 100 21 mail.rimiapparelsltd.com 2->21 23 rimiapparelsltd.com 2->23 25 api.ipify.org 2->25 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 10 other signatures 2->37 8 estatement_01022021.pdf.exe 4 2->8         started        signatures3 process4 signatures5 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->39 41 Contains functionality to register a low level keyboard hook 8->41 43 Adds a directory exclusion to Windows Defender 8->43 45 Injects a PE file into a foreign processes 8->45 11 estatement_01022021.pdf.exe 15 3 8->11         started        15 powershell.exe 23 8->15         started        process6 dnsIp7 27 api.ipify.org 104.26.13.205, 443, 49735 CLOUDFLARENETUS United States 11->27 29 rimiapparelsltd.com 67.222.130.10, 49737, 587 ASN-DISUS United States 11->29 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 2 other signatures 11->53 17 WmiPrvSE.exe 15->17         started        19 conhost.exe 15->19         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-02-25 07:03:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=euxkuyngsxpihlfgub7lznlfmiqev3tjwqxrqnv7x5optvspcsoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240225-zve4pscc42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
72638f4b30cc9dab51d31216991957bf1cd118b8a8743227b3e8f9c4805f7628
MD5 hash:
2a8240bba06e832ee5d136a0a7e5b5b9
SHA1 hash:
de49d9b33004a4a622a4279b3ee2b3e3e5cd012b
Link:
https://www.unpac.me/results/5bfb43ee-498c-4bc0-9eed-9952bf5de92c/
SH256 hash:
a472a32c6506392217aadba02a472a5718a87e7543c28e099217157da6cc0b57
MD5 hash:
c68e8358aa2a80bbbdf6f43f00ff0902
SHA1 hash:
8e51dcb7f995db8db040ddcc5db6bb4b048d2927
Link:
https://www.unpac.me/results/5bfb43ee-498c-4bc0-9eed-9952bf5de92c/
SH256 hash:
b0ab5156c1e5e7fc9f968b880dbf42704e440bab63d5cbaef8bf2df2670a427b
MD5 hash:
06d41ddeb56d013297b1193efaa05bb5
SHA1 hash:
84efcfb35ae417716e85a01c825cf853d9ae0db9
Detections:
AgentTesla
Create hunting rule
MALWARE_Win_AgentTeslaV3
Create hunting rule
Link:
https://www.unpac.me/results/5bfb43ee-498c-4bc0-9eed-9952bf5de92c/
Parent samples :
55f02b8d7758ec40e4c629e239a6b7c4e8b232ea5a1652357f582ae1d64782b1
ffafcbbf3656e0ace64d99d6e93abd741386bf0a4542839a5c8b9db8414b7a1e
ba37331dfdcb8da50797d4b8a3c5648f77fe9281cc6db7bdd65aaed080946286
673e3bfb2595b5d686e947a8a67b89e57271037c92a076ef8221b4fea0d387e5
b0ab5156c1e5e7fc9f968b880dbf42704e440bab63d5cbaef8bf2df2670a427b
e1f44a0055879abc0d8b0a75b9716e41d97fb0cc6c7669f27942dc3542551c29
fa6cfed07797c6a3fc1962de2c17bc2065431f4fdfa209b77d8a7f28051ec2d8
8949ce9874d73dae7318b895406ebce9811bbb8b834ed5195b9cb0783bfd1605
c3820a16faa2878b05636b40e8571711ed71735a8fcc732c26a9d3ea357a8a5a
0e738141435d85c326c49dba8cdc7bfdc990188d32f3447e797162bfaabb3301
ea02c25b3f82b2b175a483d4afe54e0c75e733865c2bd150670e7d296cd0dca5
36e763233ca3ff441f5ce71a59ec7b108f6329d27406b378758f6437a0f049c8
2139944dcc75ffd2ae23cf50fb751ebec4dffb7774764e8b4d48808f0925aedd
c32e369709b4820964c1ec126228f516bb4fe56e138ecbe5a3828603c3f8b7a7
d68bfd59c3db0b1e61fc5d88cccc6ed26da7bf1ce62dec8b7e820b2d0df77fb6
63b1c49f2a5cb69d745bebcbf6f3a1dceabf30e813840a25eff4284d20220257
8f985f295e769cfd6436d575d39b83ff17892794e90becbbc673eef403c70ca5
18ab014eb02b94eef74b9c6fd3f84a8e9c593d9cd8deca6fc5d50adb723dcc83
f7431cb039b7b6deb859f5afd5c813fca0f9a1b47dbcb0cd7bba5ce3a9b754d9
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
04709040eacfb086cb71024a846c381ba9aaaabc80580aa2a63057df7ec218f9
15ca9c4f1fc178f2f528b1c6d677a77a93b8fe1130172137cf6a8d748eb66f65
252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c
35befae36a2f6c5d15da8d5ec83ffac9d42e32ea67a63b42fe9e230c5bd97462
d8385e24dcc05c0115ca31d9af40862be2918e6e14f1d5c83925827484ecdf8a
67f529dd5840b8cfa3b8c08d4ff21f6767fda83343a508536ce7a9a643198f0f
a8c3823229eea7d77b5f4a95176e9164ea666e7223ef94307973af7995c7764f
SH256 hash:
74ca149286f58fccf83354b54f819ebd04278dcc4901660656c7b9ab80556f60
MD5 hash:
6751e92a8d092039c4c2e4539bbe954c
SHA1 hash:
1aa2850eda7a47ccf1bcfdbb1f4b3be1b2ca454b
Link:
https://www.unpac.me/results/5bfb43ee-498c-4bc0-9eed-9952bf5de92c/
SH256 hash:
252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c
MD5 hash:
39ebd306efd6ea1a34963b00df18cfc3
SHA1 hash:
17f5fbc272b049416516488a86c230de0e0e2d3c
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/5bfb43ee-498c-4bc0-9eed-9952bf5de92c/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/252eaa61a695/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaXor
Create hunting rule
Author:kevoreilly
Description:AgentTesla xor-based config decoding
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 97840e121a8f9444d36ebc9dfb5f4c85f0bebef34052d6cc9365a7590d709967

AgentTesla

Executable exe 252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/477698/
  
Dropped by
SHA256 97840e121a8f9444d36ebc9dfb5f4c85f0bebef34052d6cc9365a7590d709967
  
Dropped by
MD5 8ea7499669a0a587f6d6deef4ee589d6

Comments