MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51a7eac38c160c27832b8862d7586e0a042d853ee028afa0d3c740cd5b0a2b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51a7eac38c160c27832b8862d7586e0a042d853ee028afa0d3c740cd5b0a2b0d
SHA3-384 hash: 8f3fea05726f6c850c7a27b2a38ea6256aa0db1906165ad38a3b7d5cd905bbdd421150503b8c4a11fabacdcada7e5a18
SHA1 hash: 171ef7c2dc84433bcd1f8f6280e82b38f3bf1f0d
MD5 hash: b240f379f446c666e8cba5a148704df0
humanhash: jupiter-oven-golf-video
File name:SecuriteInfo.com.W32.AIDetectNet.01.12122.30207
Download: download sample
Signature AgentTesla
Create hunting rule
File size:793'600 bytes
First seen:2022-07-27 04:46:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:jiqMAyJnjUvETcyZ4bybBo+YRPfXJSBZiWM60EXJ6la+NFwelWg:j4A6UOci4er2SBZig0paktY
Threatray 237 similar samples on MalwareBazaar
TLSH T1C6F401F2B8DB101CD1797132B0B28D67F151FAB2B16D147CCBBC2456F0E69B84096BA6
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9800626eece2e0e8 (3 x AgentTesla, 1 x a310Logger, 1 x BluStealer)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294494/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.12122.30207.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e0c38eb3bb70bb32e3c570/reports/b242025a-22a3-4ec5-bacb-5c848ca9a480/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb4215bf-dc3d-4365-b005-986dc39f8cdd
Result
Threat name:
BluStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1041561
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected BluStealer
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 674055 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 27/07/2022 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 6 other signatures 2->58 7 Uarexqz.exe 2 2->7         started        11 SecuriteInfo.com.W32.AIDetectNet.01.12122.exe 1 5 2->11         started        14 Uarexqz.exe 1 2->14         started        process3 dnsIp4 46 192.168.2.1 unknown unknown 7->46 60 Antivirus detection for dropped file 7->60 62 Multi AV Scanner detection for dropped file 7->62 64 Machine Learning detection for dropped file 7->64 16 Uarexqz.exe 7->16         started        19 powershell.exe 7->19         started        40 C:\Users\user\AppData\Roaming\...\Uarexqz.exe, PE32 11->40 dropped 42 C:\Users\user\...\Uarexqz.exe:Zone.Identifier, ASCII 11->42 dropped 44 SecuriteInfo.com.W...et.01.12122.exe.log, ASCII 11->44 dropped 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->66 68 Encrypted powershell cmdline option found 11->68 70 Writes or reads registry keys via WMI 11->70 21 SecuriteInfo.com.W32.AIDetectNet.01.12122.exe 3 11 11->21         started        24 powershell.exe 15 11->24         started        72 Injects a PE file into a foreign processes 14->72 26 powershell.exe 14->26         started        28 Uarexqz.exe 14->28         started        file5 signatures6 process7 file8 48 Tries to harvest and steal browser information (history, passwords, etc) 16->48 50 Tries to steal Crypto Currency Wallets 16->50 30 conhost.exe 19->30         started        36 C:\Users\Public\...\sqlite3.dll, PE32 21->36 dropped 38 C:\Users\Public\...\SQLite3_StdCall.dll, PE32 21->38 dropped 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51a7eac38c160c27832b8862d7586e0a042d853ee028afa0d3c740cd5b0a2b0d/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-07-27 00:11:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgt6vq4mcygcpazlrbrnowdobicc3bj64auk7igty5am2wykfmgq._file
Verdict:
malicious
Similar samples:
0e8425fd51b3a7dc0286a2a063179c5e3c42db14d950670c300646b3cf8e7beb
AgentTesla
1d94021469e53e99bc28a0c744a03ef05db93c26e5debd3e59cda6f0fcc0934f
AgentTesla
1e555c2e46ef544275b0a6e1568bc51ec55bb875d6eb939f517d4d21fcf37449
AgentTesla
1f4eaf985e503e9aeade9362fbf02edd1d6cec43b7c7df88cbff1420c017518e
AgentTesla
204e06529e75295f8a01b247608340fc3f66311612f6bd518e65c23e7385df0b
AgentTesla
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
AgentTesla
c7f59a7678b39f9e6623e0b473f2420c8ba52a924ca70ab2ce849268c289c85a
AgentTesla
d2a89003afaf641041d0b9e6105b347a45da9eb13b780403c902f4511f0061ed
AgentTesla
db35c1b2866001a5054d699b34dd9b6f8cf6aa8e7d3050facd237fb2633aad65
AgentTesla
f7ef64ec582497050725afe8562b18971ba4b828ec640075c15976c7a941ba42
AgentTesla
+ 227 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer persistence spyware stealer
Link:
https://tria.ge/reports/220727-fejbmsacfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
BluStealer
Unpacked files
SH256 hash:
8d041e1495a030036ed59306df0b885165e2463e71e80869c652bd5336bceca3
MD5 hash:
81e66edc27646478707d10dfc7540e59
SHA1 hash:
b8e2810ddfd96b39a04044293d8c6f66d4ea3cec
Link:
https://www.unpac.me/results/28430eb7-e1c7-41ed-82cf-ca9054b59b4c/
SH256 hash:
1defca730e026449639ad47b2f6f0fa602a3320aa28e7bd40d5f9bb46237d46c
MD5 hash:
b2456518d7138d4cf6116b88b08a5239
SHA1 hash:
0323d9df19fc77bd908d49d33be5ce9e584312f7
Link:
https://www.unpac.me/results/28430eb7-e1c7-41ed-82cf-ca9054b59b4c/
SH256 hash:
a6acfe617040a5005be0d1675756dc9f09596d3bb2bb3ebc8a2c6881b8c4cfd7
MD5 hash:
db843358b89f4074346cab346720ab06
SHA1 hash:
94d77a5f2d66f20baf557ad30c3ab284665980d9
Link:
https://www.unpac.me/results/28430eb7-e1c7-41ed-82cf-ca9054b59b4c/
SH256 hash:
812418777ce4b1ad89c0e68bafef57d07dd3222778330c95a4ad36566bca8698
MD5 hash:
c9b973cd9720e5f3d23f97cbf730bf5c
SHA1 hash:
8081a790090fef1992b5553d81e26ef8867b6cb6
Link:
https://www.unpac.me/results/28430eb7-e1c7-41ed-82cf-ca9054b59b4c/
SH256 hash:
51a7eac38c160c27832b8862d7586e0a042d853ee028afa0d3c740cd5b0a2b0d
MD5 hash:
b240f379f446c666e8cba5a148704df0
SHA1 hash:
171ef7c2dc84433bcd1f8f6280e82b38f3bf1f0d
Link:
https://www.unpac.me/results/28430eb7-e1c7-41ed-82cf-ca9054b59b4c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51a7eac38c16/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/294494/

Comments