MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52588494e071e71a1c8f47311bd922432d1c721dc7b10ad69f86afc651bb056b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52588494e071e71a1c8f47311bd922432d1c721dc7b10ad69f86afc651bb056b
SHA3-384 hash: 6dad7e4c609f67ee33911f182d9ff77553c771d18a3744c406ed7f9a5cfb7d4540a63aacd1f659dce9c6b641fb952ac0
SHA1 hash: 1716b4edb74f10e0e2f6b9df93e112eb6a6a7a95
MD5 hash: 20f2885ae3ffb24d8a905b8714207d5b
humanhash: lamp-fish-white-white
File name:QAP 367893738 Ed 7 pcs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:750'080 bytes
First seen:2021-07-28 05:41:52 UTC
Last seen:2021-07-28 05:47:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:dWOPU97PU9yUbnBLgZUkZOsBgo0q4wMCBMONUjZM4p9MTBI1HQeBmDi3Ck2Bb2iO:dWkkZOsBgo0q4wMCBMONuM43MTBIZQql
Threatray 7'486 similar samples on MalwareBazaar
TLSH T180F4BEF4022C7F0BF06F0BBD907140629BF450DBDA69CBD9FF2614E6AF266976011686
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QAP 367893738 Ed 7 pcs.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 05:43:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/044df583-4daf-4d2f-92b9-90bf5da1b4d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174571/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ba931ef-5171-4420-9629-b82226bc4723
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822908
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455320 Sample: QAP 367893738 Ed 7 pcs.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 6 other signatures 2->64 7 QAP 367893738 Ed 7 pcs.exe 7 2->7         started        11 kSrYER.exe 5 2->11         started        13 kSrYER.exe 2 2->13         started        process3 file4 40 C:\Users\user\AppData\...\KutogdgFsScBSF.exe, PE32 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmp7876.tmp, XML 7->42 dropped 44 C:\Users\...\QAP 367893738 Ed 7 pcs.exe.log, ASCII 7->44 dropped 66 Injects a PE file into a foreign processes 7->66 15 QAP 367893738 Ed 7 pcs.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 QAP 367893738 Ed 7 pcs.exe 7->22         started        68 Multi AV Scanner detection for dropped file 11->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->72 24 schtasks.exe 1 11->24         started        26 kSrYER.exe 2 11->26         started        28 kSrYER.exe 11->28         started        30 kSrYER.exe 11->30         started        signatures5 process6 dnsIp7 46 us2.smtp.mailhostbox.com 15->46 48 smtp.ojototheworld.us 15->48 36 C:\Users\user\AppData\Roaming\...\kSrYER.exe, PE32 15->36 dropped 38 C:\Users\user\...\kSrYER.exe:Zone.Identifier, ASCII 15->38 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->50 52 Tries to steal Mail credentials (via file access) 15->52 54 Tries to harvest and steal ftp login credentials 15->54 56 2 other signatures 15->56 32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        file8 signatures9 process10
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 03:24:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjmijfhaohtruhepi4yrxwjcimwry4q5y6yqvvu7q2x4mun3avvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1a0b85e94b4c6c47e743b96560b09aad2194278caa770f27ca2e85ad69b62e93
AgentTesla
2b93abcfcf4c5489dfbc9a9849b2743dd82b0f09f2b772cdc73f3f4721cb9d1b
AgentTesla
392ff0a8dc9670e54508c4834e303c5147070b857e3f8dc0e910f2630649d736
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
772bc5203cddb673120c794d6fd7cbebef5016ac49090ed6c006bd66c0a4323e
AgentTesla
7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6
AgentTesla
8586940b285a92802ff9ca77ab7fb949de2a24784d4724dc18ce6d9c1ad6f187
AgentTesla
d022b7b48419dbef83e9d084602cbb5b10566d193db01248a72be46251669a97
AgentTesla
f7437bba4e59178441160b2b89e5aa94ee2afca4f07b7f1a47d5e93468de4742
AgentTesla
+ 7'476 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210728-h9mb8a5mza/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
94b145f297c8ee1c9db14e4989c7ab18148024c689411f81257c7958fe0a39f2
MD5 hash:
b103090b3ef45cfe2ef9eaf80e506bcd
SHA1 hash:
b987a3078cea15ec580f70112667a57b0d3e1120
Link:
https://www.unpac.me/results/fd8fb7da-2021-4bf9-9aab-8a58c1056d1b/
SH256 hash:
2c9af916622dcb4423d81cba49b650c6d51071c5905c701770c368e2210d5d77
MD5 hash:
ebc20b2984cf4d035fc3f06328179e43
SHA1 hash:
a1e5472c5fe98f8e14e83e6713eeca9413991d46
Link:
https://www.unpac.me/results/fd8fb7da-2021-4bf9-9aab-8a58c1056d1b/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/fd8fb7da-2021-4bf9-9aab-8a58c1056d1b/
SH256 hash:
446a0ca823108f2f887af3aa194a8babd38011cf735a60ec5ff91d71c23ae13f
MD5 hash:
360328481a5412e27f0900c5e60f7c7a
SHA1 hash:
3c8be925a3abd6f5961583027e5ef008f8cccd66
Link:
https://www.unpac.me/results/fd8fb7da-2021-4bf9-9aab-8a58c1056d1b/
SH256 hash:
52588494e071e71a1c8f47311bd922432d1c721dc7b10ad69f86afc651bb056b
MD5 hash:
20f2885ae3ffb24d8a905b8714207d5b
SHA1 hash:
1716b4edb74f10e0e2f6b9df93e112eb6a6a7a95
Link:
https://www.unpac.me/results/fd8fb7da-2021-4bf9-9aab-8a58c1056d1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52588494e071e71a1c8f47311bd922432d1c721dc7b10ad69f86afc651bb056b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 5a6539dc7ba9f17d5abc3d26386b49140844bb5cafcaff2c1666f3fd54ffe73c

AgentTesla

Executable exe 52588494e071e71a1c8f47311bd922432d1c721dc7b10ad69f86afc651bb056b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5a6539dc7ba9f17d5abc3d26386b49140844bb5cafcaff2c1666f3fd54ffe73c
Cape
Cape
https://www.capesandbox.com/analysis/174571/

Comments