MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242
SHA3-384 hash: 1d9a8f219b4a3674bf137d31fe09fc6a978554a6d7a14a93331cf3b5c46f7c88ef9f02ac7b6f800ca2ec7ecb2298a6ab
SHA1 hash: 20e1c3567b023f801f048be999d92d7596fc3e10
MD5 hash: 914f310ad18ec0e1c0269a1f8078ce06
humanhash: princess-mars-juliet-michigan
File name:584961.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:642'048 bytes
First seen:2023-10-03 13:49:34 UTC
Last seen:2023-10-03 14:38:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:QHE50g5oQe6NaASFo/zZQcXeNRaAStlqmO0fOa83i:Ew0BQJNkYyh/aBqqdA
Threatray 13 similar samples on MalwareBazaar
TLSH T16ED4AD08278855A6C35F5334C4AAA34DEEF0CE2F834A979E9E507EB99C133C5D9531A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.838.4583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Setting a keyboard event handler
Creating a window
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/651c1c0f4d45a517a3400820/reports/e50372f6-f489-4e69-8440-02996ae2b92d/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9cf8366d-b8d9-46c0-8e45-041e059097e3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318748
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 04:41:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 35 (54.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kd5lpz6fbzon5ucqrb3jhglcskuokrqgj2hgtsecnsupr55qgjba._file
Verdict:
malicious
Similar samples:
308bba46bfcb12039b06105bef71afccd82acb7df7658a8a4497c1955c67ee5d
AgentTesla
65c423ef88f86b07c5429ab4ebc8c89b7d6c39a032e8b7465f7b84bac91d3da9
AgentTesla
771ec2a2b691842fdb6ae7d67ec69d22911f2538120b522a0082038f2ce77aa9
AgentTesla
91ad210dae91d724c701330e1ce8fd5047b8ee7a475d1dcc1474a812cab351ca
AgentTesla
9858672b7c7fa3f8b4ef2ed4b8ab8686f1edfdc46a382ae6296051ac3b2742c3
AgentTesla
b73234fec5a6cbf5e739a75ce9aa9674f11dd409a81c740f009e1bf18c767c94
AgentTesla
c8298ea15d9737ceb275406b2d50919d012195a4e9a0f3be1f514fc364348b9f
AgentTesla
d0a1a4d065d7614fac58c3e4ed5f52e8889372a2d6c3d5bfa5c291cc1f990100
AgentTesla
da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7
AgentTesla
f171f8699ea2ebefdf7cdf2665d344cb46d0095c3fd89da5ed3c2bc0bdb3aaf3
AgentTesla
+ 3 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231003-q49j8sda28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e5bd8e6a5c25ee865746005aa339c0e6a53ac556e0c6653c340bdbd461d26108
MD5 hash:
84980b71f10a8c1bced61fcfa632b07d
SHA1 hash:
eb83c9767ade3b96128fc143e039abcad6d114be
Link:
https://www.unpac.me/results/1e37ca54-ab54-43f8-8c47-ae3cec09e54c/
SH256 hash:
32cb7e84a85cc42e41b20cb7582ad6f7e956ca1bd6dc8ab8aedaeb669f5c247e
MD5 hash:
3e069b7bc061addaf6cb183021e01ed7
SHA1 hash:
c2c7ffeb759226c4df54971b9ec0670f4eb48167
Link:
https://www.unpac.me/results/1e37ca54-ab54-43f8-8c47-ae3cec09e54c/
SH256 hash:
c7254ace49f337a4e9557c85622a9fa4ab8ac727f5b930e540b39e4eeb1a698b
MD5 hash:
e335cd694e03019ce5f96cb952e551f3
SHA1 hash:
981abb7ef6a712147ee3162d688a65df4a2f3040
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/1e37ca54-ab54-43f8-8c47-ae3cec09e54c/
Parent samples :
8015d0f83bd5b01a372675e35de2a1f181a696b8a9ab337adc9a8e873115637b
47f6279c12fdfe069c80911f6c22a2e1f13daa13b4595cf13b88d4e62f75b72a
50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/1e37ca54-ab54-43f8-8c47-ae3cec09e54c/
SH256 hash:
50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242
MD5 hash:
914f310ad18ec0e1c0269a1f8078ce06
SHA1 hash:
20e1c3567b023f801f048be999d92d7596fc3e10
Link:
https://www.unpac.me/results/1e37ca54-ab54-43f8-8c47-ae3cec09e54c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50fab7e7c50e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_bytecodes_sep_2023
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments