MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51a28140eb38dc879d567ab3909ba4b555f861ce1f5b603d2aeff4b47baedcd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51a28140eb38dc879d567ab3909ba4b555f861ce1f5b603d2aeff4b47baedcd4
SHA3-384 hash: c02e8361e7afe949256c794014ad120fa99f1158ffbb8c572771919f1242e3fb19e8bdde7991df503266c99535b75da8
SHA1 hash: f2ca8a34338558ffbab9e07d4acf20346c64c1fb
MD5 hash: 33546dca33a9578951dacdf03f7344d9
humanhash: robert-blue-bulldog-hamper
File name:Scan_69660758.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:679'936 bytes
First seen:2022-06-08 07:50:22 UTC
Last seen:2022-06-08 07:54:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:qek7C5fcFrEFE4snfGclzQEccA8adrF0/hUqWS87ukimUOFink9q:e+kQA5fA8KZ02qWS8Zink
Threatray 17'369 similar samples on MalwareBazaar
TLSH T1CCE4122533DC0B22DB7D57F9582A584057B0A33A260BFB1D5EC021EE1E7AB92C917727
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Scan_69660758.exe
Verdict:
Malicious activity
Analysis date:
2022-06-08 22:52:38 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/80957228-93cb-4c32-977a-68c3c89ed7e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277646/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.8797.17749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62a054ece22d00d5e195ba25/reports/ffd70467-5257-4ed1-8ff4-7b7fa3b903d4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c45550a6-b4a2-449b-ac1a-554ea869a9ca
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008786
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 641282 Sample: Scan_69660758.exe Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 53 192.168.2.1 unknown unknown 2->53 55 mail.majescoltd.in 2->55 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 4 other signatures 2->71 8 Scan_69660758.exe 18 2->8         started        12 Newapp.exe 2->12         started        14 Newapp.exe 2->14         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\AyxTtIjB.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmpBCC4.tmp, XML 8->43 dropped 45 C:\Users\user\...\Scan_69660758.exe.log, ASCII 8->45 dropped 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->73 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->77 85 2 other signatures 8->85 16 Scan_69660758.exe 2 13 8->16         started        21 powershell.exe 25 8->21         started        23 schtasks.exe 1 8->23         started        79 Multi AV Scanner detection for dropped file 12->79 81 Adds a directory exclusion to Windows Defender 12->81 83 Injects a PE file into a foreign processes 12->83 25 powershell.exe 12->25         started        27 schtasks.exe 12->27         started        signatures6 process7 dnsIp8 47 mail.majescoltd.in 162.214.80.55, 26, 49768, 49786 UNIFIEDLAYER-AS-1US United States 16->47 49 x1.i.lencr.org 16->49 51 windowsupdatebg.s.llnwi.net 16->51 37 C:\Users\user\AppData\Roaming\...37ewapp.exe, PE32 16->37 dropped 39 C:\Users\user\...39ewapp.exe:Zone.Identifier, ASCII 16->39 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->57 59 Tries to steal Mail credentials (via file / registry access) 16->59 61 Tries to harvest and steal ftp login credentials 16->61 63 3 other signatures 16->63 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51a28140eb38dc879d567ab3909ba4b555f861ce1f5b603d2aeff4b47baedcd4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 07:04:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgricqhlhdoiphkwpkzzbg5ewvk7qyood5nwapjk572li65o3tka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26179d1a09bd8ba828aa47a001dfc66df53a6ec1138eae15ae067b19db45b2cf
AgentTesla
32252e51624f449f015636763feb4a6eaaea3f7ba436a217d9d1aae348529de7
AgentTesla
4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1
AgentTesla
5a32cc367669d0ab7fd55f6262fddf6395bfe71124683f15bf8f1497eb5d4a42
AgentTesla
8397c04c6cebbfcb4ffbc18722a72e8485626304db1fb5c83875e1d64b873a23
AgentTesla
a40edc7cd33020f9e1b599da3356fdebecd7ddcf26081aa028d42873ea882916
AgentTesla
b0e427b8e2db98edeea688cda0c6b0e33f936fae3a7b09b529a85a6190083df4
AgentTesla
b7bf1de793e0d6dfa04d392dc0d9f3c51a45aee617e7ec27c95d5c2d6ac054d5
AgentTesla
b7c289867d067d3d8f47d1d0b3e0fe63a7d18ebd8c8572037197aed2605a75ed
AgentTesla
fb13f5302756081d7dc2545468beddd187e44de679d3a776c62298bc18cf28c8
AgentTesla
+ 17'359 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220608-jptrxadhep/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
fae40318322a4a57170669182f5d7da4020b6d6cad00938dc296a638f2a1e341
MD5 hash:
640d65e2331816d3b78b6e2bdd141b52
SHA1 hash:
bae899f0ed904107845edb0eeb476b7b3f9786c3
Link:
https://www.unpac.me/results/325375b0-a1ce-434d-b118-c4799e6e3a48/
SH256 hash:
fe78017f2153de0c5ca645c4255899ab044502fe5c77d5c04ced635d9fe981d9
MD5 hash:
ab47b292d4d39311539a0b97e6661f4f
SHA1 hash:
54cd9efbebe4f41b23e6f24fffac0da8f72d921b
Link:
https://www.unpac.me/results/325375b0-a1ce-434d-b118-c4799e6e3a48/
SH256 hash:
51a28140eb38dc879d567ab3909ba4b555f861ce1f5b603d2aeff4b47baedcd4
MD5 hash:
33546dca33a9578951dacdf03f7344d9
SHA1 hash:
f2ca8a34338558ffbab9e07d4acf20346c64c1fb
Link:
https://www.unpac.me/results/325375b0-a1ce-434d-b118-c4799e6e3a48/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51a28140eb38/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51a28140eb38dc879d567ab3909ba4b555f861ce1f5b603d2aeff4b47baedcd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 51a28140eb38dc879d567ab3909ba4b555f861ce1f5b603d2aeff4b47baedcd4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277646/

Comments