MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52906a1cd3e2b1b5728deaf7842ebd70313d6e4bef0c4d5ddd0ad8245176a904. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	52906a1cd3e2b1b5728deaf7842ebd70313d6e4bef0c4d5ddd0ad8245176a904
SHA3-384 hash:	4606d632628cb77753bdbf47255386e859f926afdf4716c1c7992624d6521ab9749c79c3ffdcac015cb03ee50fc8f246
SHA1 hash:	e4716ebe71eea2b5225fcc68ae3a4b768ef1f181
MD5 hash:	6209042f6871570ebfb44f4c919c5d55
humanhash:	maine-maryland-ten-october
File name:	proforma invoice TRKINV2021000000000003005 TT Slip copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	289'603 bytes
First seen:	2021-05-31 06:53:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:tNvT3oKTBueFPGXFic5MxAcwTg4w5rKU0HIRgh/S2w:/joWBpGXOxArTgzdKSAvw
Threatray	5'400 similar samples on MalwareBazaar
TLSH	3D542217A5C25823E6F626722533E2F38FBBC8C4148105535F212FBB6B3460BD60ABD6
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

proforma invoice TRKINV2021000000000003005 TT Slip copy.exe

Verdict:

Malicious activity

Analysis date:

2021-05-31 07:00:46 UTC

Tags:

installer

Link:

https://app.any.run/tasks/02bc3300-b7f1-454b-a68a-22c51c2acc0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/163369/

Detection(s):

SecuriteInfo.com.TR.Dldr.Adload.86010.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Modifying a system executable file

Launching a process

Creating a window

Sending a UDP request

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/794517

Signature

.NET source code contains very large array initializations

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/52906a1cd3e2b1b5728deaf7842ebd70313d6e4bef0c4d5ddd0ad8245176a904/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-05-31 01:42:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 29 (48.28%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kkiguhgt4ky3k4un5l3yilv5oayt23sl54ge2xo5blmciulwveca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0e998a143797b2949946d9ff71667c220fad713935636046fc7a609928784f9c

AgentTesla

216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

6b0bdb675b4edca05f802e4a48e879c9f0f9bcedb8bc362d77ec714f3df6baa6

AgentTesla

81453065bd00296f689d548aba1571a2fae836d7708089a46c62a0045ff1baa6

AgentTesla

a65c17a6869bea83b82856617c8bd2e701eb96825cc078caf6cc6e56af0688a7

AgentTesla

caef1c1bf021d8a6adbf6032e999aa68e1052014bdc8691dfbf182eeadc338f1

AgentTesla

d5269c737f5691eab59bcc8c6ba21a4ad0244e37d87c2fae38543ad15aa6707f

AgentTesla

e7974f01abe5020856975bdd6fe08e8210f565686fd1da83a2c4a0e3dd64082d

AgentTesla

+ 5'390 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/210531-rcfwvbwaq2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/52906a1cd3e2b1b5728deaf7842ebd70313d6e4bef0c4d5ddd0ad8245176a904

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar fd0c218d24dea59dbd62eb5041aaa24dc0c34a6ae0ccea288f496eda3732bbe3

AgentTesla

exe 52906a1cd3e2b1b5728deaf7842ebd70313d6e4bef0c4d5ddd0ad8245176a904

(this sample)

Delivery method

Other

Dropped by

SHA256 fd0c218d24dea59dbd62eb5041aaa24dc0c34a6ae0ccea288f496eda3732bbe3

Cape

https://www.capesandbox.com/analysis/163369/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample