MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52b0f189a1e266fd5e8ebbb97d116c47a28842eea388669753657342a9dc4083. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52b0f189a1e266fd5e8ebbb97d116c47a28842eea388669753657342a9dc4083
SHA3-384 hash: 546624782c116a89b8dd0477f64a7ff058a822b715c8937e980d3d5aa90a23f9a83bf84c47fe1a48e44a2fb49aaff1c8
SHA1 hash: 8c4c32c286b5c2676b792f693d1154fc5c5334cc
MD5 hash: 803d48dc1a33386a82f14835ebe89a77
humanhash: fanta-muppet-helium-pluto
File name:file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:384'183 bytes
First seen:2022-11-21 15:08:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:ZVGdx6x2FUd6osOsQtNlz2r/+IiCLkiFewKarFZJDJyUsN/hvRB7j:Htd6DQtfm+degw3rpJslhjf
Threatray 18'437 similar samples on MalwareBazaar
TLSH T167848AA93B62C016FFB136B08D271776166D8EDC14A0C36F125B6BFBEF51201244B6A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8eb2ec8eb4cca8f0 (3 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2022-11-21 15:13:01 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/848ec04a-021f-4d05-b065-6db8b4a70bb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336823/
Detection(s):
SecuriteInfo.com.NSIS.InjectorX-gen.19907.667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637b948da0efd596b82f0aa3/reports/b2465258-34c0-4f87-b92e-a019eb95890e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a7b74e4e-1156-4b26-8a26-95f8554144ff
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118276
Signature
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52b0f189a1e266fd5e8ebbb97d116c47a28842eea388669753657342a9dc4083/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-21 09:11:44 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkypdcnb4jtp2xuoxo4x2elmi6riqqxouoegnf2tmvzufko4icbq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
4dcf685ec146dd3a0b5cf5869bbda64af27223b16963e629df4f6103c8537208
AgentTesla
7c6f7db15d2a2982a12d818ab85a279a97139d4138ac36cdb791fdb3f9bd47fc
AgentTesla
7fa4a11b501e03019ad7b90d08c297554cd7c5e9b49de7aacfba190db630e5a4
AgentTesla
82a78e7776925c9f48f60d863ac5061e4edeca3bc560d9e6057d4f3dbb51ddf8
AgentTesla
8f4d63fea00eca6d91147de6a10b7aae6069f164ef00d5986eff571249552dae
AgentTesla
b3c83ca8ac0be1a91267ff0c5f12e3db8b08b4fa0c8c44df69a4a358c946bbee
AgentTesla
b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5
AgentTesla
e7708401091962a6b59c0bd32d966d0c34902de5d927b27c8e13f9123c8606d1
AgentTesla
ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83
AgentTesla
f857890d674a9d4abd8ef6d735c7c03eef0a75777c64cb4a62917d12b68dcbfa
AgentTesla
+ 18'427 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221121-sjfsjaeh53/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cea56ede-e354-4bda-899d-7d9ab318f1c4
Unpacked files
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/f8eeb266-5975-47ff-b35e-ebd9e31796d9/
SH256 hash:
52b0f189a1e266fd5e8ebbb97d116c47a28842eea388669753657342a9dc4083
MD5 hash:
803d48dc1a33386a82f14835ebe89a77
SHA1 hash:
8c4c32c286b5c2676b792f693d1154fc5c5334cc
Link:
https://www.unpac.me/results/f8eeb266-5975-47ff-b35e-ebd9e31796d9/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52b0f189a1e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/52b0f189a1e266fd5e8ebbb97d116c47a28842eea388669753657342a9dc4083

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/336823/

Comments