MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51a584528b7e6df7d03d10134ee1b11fa8131a9c250141737da3fd8b598fab65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51a584528b7e6df7d03d10134ee1b11fa8131a9c250141737da3fd8b598fab65
SHA3-384 hash: e8786822395892b0412083bf84413f3b3ab026934415fa5685b56bd067d1b96f902531f2d19e5344fbd14f5d2a95f763
SHA1 hash: c3d61bbde3aa0129d7f481b1d4dfb85a228e1c1d
MD5 hash: 246d85da891e5dcf768267283744727f
humanhash: fourteen-violet-comet-pizza
File name:246d85da891e5dcf768267283744727f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:916'992 bytes
First seen:2023-06-14 05:20:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Idr3lsb/+FSzQAeHTNX6hQnXi3JgKK+Cl:I8WyQAeHTNQQSiKgl
Threatray 4 similar samples on MalwareBazaar
TLSH T1941593BD2A8076AB9B75DE6241D2084BF23F772772535DA821D213C2872250F37ED94E
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
246d85da891e5dcf768267283744727f.exe
Verdict:
Malicious activity
Analysis date:
2023-06-14 05:23:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c281a3c-6492-46e4-b5f3-dec744b6664f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398596/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5773.29158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/64894e40b82d716c5afeb3d4/reports/b5f8c278-2dd7-4180-b53a-349326f72684/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/51a584528b7e6df7d03d10134ee1b11fa8131a9c250141737da3fd8b598fab65
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5668126c-755e-4428-9989-c49a8a04be40
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1254153
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51a584528b7e6df7d03d10134ee1b11fa8131a9c250141737da3fd8b598fab65/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 05:21:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgsyiuulpzw7pub5caju5ynrd6ubggu4euauc435up6ywwmpvnsq._file
Verdict:
suspicious
Similar samples:
1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292
AgentTesla
2c297ee99f448a8dab452f6317dcbfdb9510ae07b70fd6baa486ff46c0fe507c
AgentTesla
2d3f7cde8b7c6dff2835309532107db323ec291d5f5c1117ae0b38cfdf9b623f
AgentTesla
3d318fe7e857edb9267b1b826b71027ad24d9872f8540a707f1e2505a43c95af
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230614-f114ksdd3z/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/a32afce6-68cf-43e4-9efe-d997f620324f/
SH256 hash:
07a5f84d934a994032be9e6f080d904dbf26b7a47b7a65e319d272c545ba7f86
MD5 hash:
b0bdded7ebc2799503faf59a78fd0926
SHA1 hash:
4ef4f8505180fecc1c86ac1929dc533d61b0c7ce
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a32afce6-68cf-43e4-9efe-d997f620324f/
SH256 hash:
120a610fc9c8c8d05bf0f6b25ec2c342b02927ca1e33786724e741e98817c2d9
MD5 hash:
e85cd9aae24c551040a833a880f69732
SHA1 hash:
4172261a9b461d6ce8e9609ba48c6cd2a63873ee
Link:
https://www.unpac.me/results/a32afce6-68cf-43e4-9efe-d997f620324f/
SH256 hash:
51a584528b7e6df7d03d10134ee1b11fa8131a9c250141737da3fd8b598fab65
MD5 hash:
246d85da891e5dcf768267283744727f
SHA1 hash:
c3d61bbde3aa0129d7f481b1d4dfb85a228e1c1d
Link:
https://www.unpac.me/results/a32afce6-68cf-43e4-9efe-d997f620324f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/51a584528b7e6df7d03d10134ee1b11fa8131a9c250141737da3fd8b598fab65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 51a584528b7e6df7d03d10134ee1b11fa8131a9c250141737da3fd8b598fab65

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2638384/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398596/

Comments