MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd
SHA3-384 hash:	0261d66a6380e0cf32b56ea2d9ed634462d9511c4d0352b8cd012df4b18d442574cea5d63a206c7ec3b095732456ff0a
SHA1 hash:	1f12e8c75ce9fd32b7b46234c4143459c461aa9e
MD5 hash:	c068c13434c442bfa1e763b7fec9a58e
humanhash:	zulu-finch-saturn-georgia
File name:	526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	684'544 bytes
First seen:	2023-06-08 11:52:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:IKt7z5GoJiGaq5aurHlOh4nA84mckFKqDi0vg+7IGbpTgAmpE/2+NLjXB28V68Y:p5GoR5aClA8rFKq9CLpz87l68
Threatray	5'002 similar samples on MalwareBazaar
TLSH	T1B8E4124173659B47F67A3BF21A62AAB017FAB82B7434E20A0CD273DF1662F405651F07
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd

Verdict:

Malicious activity

Analysis date:

2023-06-08 11:54:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eac613a6-6de6-402e-87b7-c05ffa4e1687

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XorStringsNET

Link:

https://www.capesandbox.com/analysis/396935/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67241729.5408.452.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/6481c11f42643c8ff4effb68/reports/81b1226b-3fb6-4bc4-a230-cab4d838cd38/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/006c51cc-4ee2-469b-9aaa-54fff65c45ce

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1251323

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-26 09:23:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kjvt6cluusyzdxlrctkwvrsayrsy7fxg5ynqnklsyc5si7i52pgq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12

AgentTesla

35770c56e33fb8d8c31fc263cff6070ae9fd06418ce29059ee8f53dd990c4c5d

AgentTesla

416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203

AgentTesla

5241d93369ff133d1aa4381a074806b10d37f414261f89f2198ef76d238b5ec1

AgentTesla

53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a

AgentTesla

92bc5b745a6e3757f5ffbda877cb0b5725606d214642fc37f16ad0cf98c0cd9d

AgentTesla

941a01878f1694106f0822a8b332f62135e5c61412c6e144ece4f2ba1d481927

AgentTesla

9794129ab61b8520756c9ef1a6ae7645dc0f909c44b934c50d46aae78f3d681e

AgentTesla

9b37de8ee5c3dc055abe9c0b8bf77a40f8660548df93c72647256a53d9ee6287

AgentTesla

+ 4'992 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230608-n2axsafg2z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6205694016:AAFra52NaS7UwXdNdP3UoFHG1Y79jlGWBko/

Unpacked files

SH256 hash:

4b399f3145327b59755c6e7273c04c280c286b9497b91a8b0ecc6f93b5a705de

MD5 hash:

17c8f3dc00520a981e1954bcf4071910

SHA1 hash:

f88b49efec1c5cf910d1fe8ddcd7a962c5431b74

Link:

https://www.unpac.me/results/3dcda30f-babd-4a6b-82ff-64c3444c349a/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/3dcda30f-babd-4a6b-82ff-64c3444c349a/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

aa55a49c4e26b6c0cfb3aa599f5cb5c6eae65e0a7884458e75614092d073cf5f

MD5 hash:

9d9bed3fb41b5b721aafd13220f48c73

SHA1 hash:

069c54846fffaf8ba3abc8f140a60dd9755ff20a

Link:

https://www.unpac.me/results/3dcda30f-babd-4a6b-82ff-64c3444c349a/

SH256 hash:

5f3954166b1a751e9500d3e3bef85979cc4dab87b6b7f331271d463971f27bfa

MD5 hash:

80bfefe88be5e5251e76f85338f95819

SHA1 hash:

05ca91159175d7d07bffac7b09f1fed809326a42

Link:

https://www.unpac.me/results/3dcda30f-babd-4a6b-82ff-64c3444c349a/

SH256 hash:

5ec78098c14c6edd1fa6218d30480e8054bf90c2998c2b067b8fd49772ea9de8

MD5 hash:

62c01382cd5669ec397cbf3677f3d12a

SHA1 hash:

01e07b9f040dfd7fd1fcf39f5af12bddb3fd1b0f

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/3dcda30f-babd-4a6b-82ff-64c3444c349a/

Parent samples :

9b37de8ee5c3dc055abe9c0b8bf77a40f8660548df93c72647256a53d9ee6287
9794129ab61b8520756c9ef1a6ae7645dc0f909c44b934c50d46aae78f3d681e
526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd

SH256 hash:

526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd

MD5 hash:

c068c13434c442bfa1e763b7fec9a58e

SHA1 hash:

1f12e8c75ce9fd32b7b46234c4143459c461aa9e

Link:

https://www.unpac.me/results/3dcda30f-babd-4a6b-82ff-64c3444c349a/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/526b3f0974a4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/526b3f0974a4b191dd7114d56ac640c4658f96e6ee1b06a972c0bb247d1dd3cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/396935/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample