MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50050452f22edd51ccd484e785ceabed4990fe67806c1c42fcd7cbe1ee40e779. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50050452f22edd51ccd484e785ceabed4990fe67806c1c42fcd7cbe1ee40e779
SHA3-384 hash: 78ffd8c4136bfe82d31ca9deb2c01f720f35f54744bc3558bdbc2f13f6cb10c518767b1c43a34af5709ac0be4a5c67d1
SHA1 hash: d5c25f53df9c17f3599f81a8a3755a620e9142d7
MD5 hash: c38c193cb4f5ffe0f659b9cce043b1bb
humanhash: georgia-lamp-west-delaware
File name:c38c193cb4f5ffe0f659b9cce043b1bb
Download: download sample
Signature AgentTesla
Create hunting rule
File size:172'368 bytes
First seen:2021-06-29 20:30:31 UTC
Last seen:2021-06-29 22:43:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 3072:uxJfsHcdoGM61Epd+hkNuZJ0VBq6PVGBHojebSMMwMMMAB1LZEEuBL4MW5vuwDTc:uxJfsHcdoM1Epd+hkNuZJ0VBq6PVGBHF
Threatray 6'209 similar samples on MalwareBazaar
TLSH CDF322A8DBB8ACD7D50A90F99D72E5E5871BFF295424091E3C2A3073147235B38A5C2F
Reporter zbetcheckin
Tags:32 AgentTesla exe signed

Code Signing Certificate

Organisation:SP90g0225G0643832cGd
Issuer:SP90g0225G0643832cGd
Algorithm:sha256WithRSAEncryption
Valid from:2021-06-29T08:51:25Z
Valid to:2022-06-29T08:51:25Z
Serial number: 902427e096d1dc9672d228958ecf5b0b
Thumbprint Algorithm:SHA256
Thumbprint: 87987846d7729305a9cebee00dbd7526352a1b8bfae0ce54b3fbf001edd3460f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Copy.doc
Verdict:
Malicious activity
Analysis date:
2021-06-29 19:17:33 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/875b9558-1d28-4f40-b3fb-3481da3f7847

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168835/
Detection(s):
SecuriteInfo.com.Variant.Bulz.540623.29543.6288.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a192996a-69a2-4aea-8ad5-8a50acaa6974
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809680
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to inject code into remote processes
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442091 Sample: a5qySBAwfX Startdate: 29/06/2021 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 8 a5qySBAwfX.exe 15 4 2->8         started        process3 dnsIp4 36 kakosidobrosam.gq 104.21.67.197, 443, 49718 CLOUDFLARENETUS United States 8->36 30 C:\Users\user\AppData\...\a5qySBAwfX.exe.log, ASCII 8->30 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->56 58 Contains functionality to inject code into remote processes 8->58 60 2 other signatures 8->60 13 a5qySBAwfX.exe 2 3 8->13         started        file5 signatures6 process7 signatures8 62 Adds a directory exclusion to Windows Defender 13->62 64 Hides threads from debuggers 13->64 16 a5qySBAwfX.exe 6 13->16         started        20 cmd.exe 1 13->20         started        22 powershell.exe 26 13->22         started        process9 dnsIp10 32 208.91.199.224, 49748, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->32 34 us2.smtp.mailhostbox.com 208.91.199.225, 49747, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->34 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->38 40 Tries to steal Mail credentials (via file access) 16->40 42 Tries to harvest and steal ftp login credentials 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 24 conhost.exe 20->24         started        26 timeout.exe 1 20->26         started        28 conhost.exe 22->28         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50050452f22edd51ccd484e785ceabed4990fe67806c1c42fcd7cbe1ee40e779/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 10:53:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kacqiuxsf3ovdtguqttyltvl5vezb7thqbwbyqx427f6d3sa454q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
225de92e4a01822b3595e2cc36644a8420af71b00f9fba1c38f2bf0b48fa843b
AgentTesla
8e0eb9de7614d5f266b4d4ecb1e7af79630c6ea4f52d2090092b00ab547091b6
AgentTesla
9c126d87c5f7e379306e67c3f26c8f1019ef99b9d605618c77c4083f8c8c8ac7
AgentTesla
a4afdf92458dfa010ae7e0a35d14bc79fbaba7488461cbce8ef8a9302afa3a55
AgentTesla
a7f3aeae178c063964966201605c994a8b4881f45ff0cd1a0a36bdf46de2fcc2
AgentTesla
c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca
AgentTesla
d6e209bed82a28f5559074dc102c43d10bd28d9468f1a15a5ae2cc6011de234c
AgentTesla
de0419f15e231116f87b5ac3a8aeab734175c685920fce69c8c39836d1ab4491
AgentTesla
ec21d1cf412a7ecc9bf3f22c75b7de266f0fbb22dca452ff31960c7cd261e79d
AgentTesla
f35ea943961db78e81a0f568f05afac9500ec4f093aa4bb543fe25ca1722f59c
AgentTesla
+ 6'199 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210629-fcenf3yxwj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla Payload
AgentTesla
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
50050452f22edd51ccd484e785ceabed4990fe67806c1c42fcd7cbe1ee40e779
MD5 hash:
c38c193cb4f5ffe0f659b9cce043b1bb
SHA1 hash:
d5c25f53df9c17f3599f81a8a3755a620e9142d7
Link:
https://www.unpac.me/results/58f31815-5cea-4ecf-9803-f64cf93600e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/50050452f22edd51ccd484e785ceabed4990fe67806c1c42fcd7cbe1ee40e779

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 50050452f22edd51ccd484e785ceabed4990fe67806c1c42fcd7cbe1ee40e779

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1411504/
Cape
Cape
https://www.capesandbox.com/analysis/168835/

Comments