MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50be531a65362e72de7dd235671c5bd2bd8220e7fd6312cb2e2ca3272afa3fd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50be531a65362e72de7dd235671c5bd2bd8220e7fd6312cb2e2ca3272afa3fd4
SHA3-384 hash: b93922ccc6127a5f75aa9745066bee84f5e4ea6a66799275c584fe5850b587865c453356ef1768165fd9125d0fef12be
SHA1 hash: bf394ff86e230a475ba6028d7fc8ed04a4d0010d
MD5 hash: 7dab8befe9b5f46933b5e11d297cc2ee
humanhash: oscar-queen-salami-rugby
File name:7dab8befe9b5f46933b5e11d297cc2ee.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:25'064 bytes
First seen:2021-02-01 18:11:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 384:CFAvU61QJpQhNaJ2U5rOKgqdZlUMu0RYLUjs3a/dhp/u0phq:uO1g/YU5rOKhdZWMn21asChq
Threatray 2'426 similar samples on MalwareBazaar
TLSH 33B2E8D1574D9E82E46BF732727311334B60A11272EF8A63F47A13A32812B8027E3E57
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.ionos.it:587

AgentTesla SMTP exfil email address:
engkeylogz@hashtagflorence.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER RMHW202110322.doc
Verdict:
Malicious activity
Analysis date:
2021-02-01 12:46:06 UTC
Tags:
trojan exploit CVE-2017-11882 loader rat agenttesla
Link:
https://app.any.run/tasks/d5230735-08b2-4148-94d9-e8e6086ceb02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114998/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595719
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/50be531a65362e72de7dd235671c5bd2bd8220e7fd6312cb2e2ca3272afa3fd4/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-01 18:12:06 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kc7fggtfgyxhfxt52i2wohc32k6yeihh7vrrfszofsrsokx2h7ka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4
AgentTesla
2068d34ab1d61d86c973bc5d8cca5578f20a20fe2bf3f4b272dad5dd1f59ece6
AgentTesla
36f9ec0c44ca2ed814b6c301f89a1e31f2f84eed689569fba5ec0ec9464c2342
AgentTesla
55e6b0652a928f8bab293ded9e73ff9494b8de7638a3cd98cf42ded7fbdb198e
AgentTesla
5838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
ae7115eba4476fd6ee40a39fa2d39eed04c54307726bb1fedbc81556c7b202ac
AgentTesla
bf3025624dcc46d9fbf44d9a47d242266ea1b97b1166c77c0747c39c26937b4c
AgentTesla
c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230
AgentTesla
d6a84c0371958157ad4f7645e34bc8128ffcf70d3cc5ee64eb76142cc41dc27a
AgentTesla
+ 2'416 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210201-8d7x3ark8n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
50be531a65362e72de7dd235671c5bd2bd8220e7fd6312cb2e2ca3272afa3fd4
MD5 hash:
7dab8befe9b5f46933b5e11d297cc2ee
SHA1 hash:
bf394ff86e230a475ba6028d7fc8ed04a4d0010d
Link:
https://www.unpac.me/results/cb68a9c0-4e80-464c-a358-1bf356244ed9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50be531a65362e72de7dd235671c5bd2bd8220e7fd6312cb2e2ca3272afa3fd4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 50be531a65362e72de7dd235671c5bd2bd8220e7fd6312cb2e2ca3272afa3fd4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/980753/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114998/

Comments