MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52a98d9a3b0bc741aaf73a4efb435797f130bd0a7ed960957e8e08346388d915. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52a98d9a3b0bc741aaf73a4efb435797f130bd0a7ed960957e8e08346388d915
SHA3-384 hash: a4197098ad166b0376ebd1aecbebdb8ac52481ed737e2e36b83e6934e826a3cd5dae581001273764d40b20ee24394d8e
SHA1 hash: d540094a3ae0cf5c3b8ca04aa703185c1a18ede8
MD5 hash: 1c56d5842f0f5cb191887615a65ba007
humanhash: harry-fruit-ceiling-venus
File name:KOPIA PLIKU APTIV SUPPLIER BASIC INFORMATION FORM 2023.XLSB.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:23'552 bytes
First seen:2023-07-25 13:17:50 UTC
Last seen:2023-07-26 05:07:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:WdmYFG/Gj0MOHpJIzcg2g9Hxx/cCK/FhM8TaiWimL/qgH7FdB77aRd:Wdml+jMJCzj2gzxkCKthhgSg9ar
Threatray 2'347 similar samples on MalwareBazaar
TLSH T1FAB24A06BA9D5134D95D973FC8EFC5042630DA423897CB0F79AA138D68333E9DA465CE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 067961b69269610e (1 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe RFQ

Intelligence

File Origin
# of uploads :
4
# of downloads :
280
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KOPIA PLIKU APTIV SUPPLIER BASIC INFORMATION FORM 2023.XLSB.EXE
Verdict:
Malicious activity
Analysis date:
2023-07-25 13:27:25 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/0132f2f4-a16f-44be-ab7a-082d2d2a2b0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/432213/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.349.3385.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/52a98d9a3b0bc741aaf73a4efb435797f130bd0a7ed960957e8e08346388d915
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/669fdf7f-4cef-4c42-ad72-5b90998b1dcb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279169
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52a98d9a3b0bc741aaf73a4efb435797f130bd0a7ed960957e8e08346388d915/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 13:10:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkuy3gr3bpdudkxxhjhpwq2xs7ytbpikp3mwbfl6ryediy4i3ekq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0cfa378be0ba59aeb6d4f75ec7f8e97d26794d5a4cc3258ded80117020226c96
AgentTesla
326e9ddf345c6128976b27ddab85e060e612b5977fc733448b5c0d7d5fa64c8b
AgentTesla
46b6fdea59c36bbb7d05b93343d11617e65aa3d76e9a2bf2c1d5969070364a29
AgentTesla
55d62602fbaca82ec54e520aa021690a91a0d5d1f6783747a4a2a97f282231c3
AgentTesla
5ab37893e96a883e509a0a1f7d79ca207761cf8b7a771d1e029114e8dabbfae7
AgentTesla
6e7cb379b1e49f7dd3b3d0a4512fa7542c02bffe3f367559862ec8d59e907b37
AgentTesla
b2e3994ebb72e0dccce7114c073f2917889fa09a3036d21a0f7a8b715ea77a8d
AgentTesla
c6ad6564b9a4e2a2f7d2d7cd13001f5277d9c2ecf83829611bd9d0eb4fc3b233
AgentTesla
e03f7cbee9ba8443d200f1bcc47101185dcdc27b965b0ce9b650a0aae4c40492
AgentTesla
+ 2'337 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230725-qjx1psdd2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
52a98d9a3b0bc741aaf73a4efb435797f130bd0a7ed960957e8e08346388d915
MD5 hash:
1c56d5842f0f5cb191887615a65ba007
SHA1 hash:
d540094a3ae0cf5c3b8ca04aa703185c1a18ede8
Link:
https://www.unpac.me/results/81361141-a293-4a35-9eb1-8bee5ae6bc2e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52a98d9a3b0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52a98d9a3b0bc741aaf73a4efb435797f130bd0a7ed960957e8e08346388d915

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 113633cb4d3b7411d428d5a0dc9c10a9d2d6492e3578101488d5f3b3091a9f77

AgentTesla

Executable exe 52a98d9a3b0bc741aaf73a4efb435797f130bd0a7ed960957e8e08346388d915

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 113633cb4d3b7411d428d5a0dc9c10a9d2d6492e3578101488d5f3b3091a9f77
Cape
Cape
https://www.capesandbox.com/analysis/432213/
  
Dropped by
SHA256 5646e0a8950dbc7862647818a5c75af7a09527aa25b4846010487d51ad365a01
  
Dropped by
MD5 bf784a95640e931e1cc1827fa972275f

Comments