MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52bde461afed3a5115ff564146fb16c851cfa50e49205a34d1c028c0b08190d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52bde461afed3a5115ff564146fb16c851cfa50e49205a34d1c028c0b08190d5
SHA3-384 hash: 904dfbbc981d40399259c95a8205caddca5f1f1095917dfa752bd3418bede6eba4c85e13684ad437632fe25d4ca8eb46
SHA1 hash: dc2bc1de0c3b855375d608078a966d4abb02d5c7
MD5 hash: 721652d77f4ca0310138ea12a36221c5
humanhash: fifteen-north-delta-mississippi
File name:BBVA-GIRO USD 9304-21009.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'052'160 bytes
First seen:2021-05-31 21:55:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:pJ3o0NbTXLjaCCb5KtViFjOp1LB8P5pI:pJFYtKjiFjqxB8Bp
Threatray 5'433 similar samples on MalwareBazaar
TLSH 5A253A4D2614DB11D229D374CAEA44B353E0ED23E201EB8A9CC63BD536727C73A8656F
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BBVA-GIRO USD 9304-21009.exe
Verdict:
Malicious activity
Analysis date:
2021-05-31 21:55:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6d6d457-29f2-4e8d-991b-8034a0f4d663

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163579/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794885
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/52bde461afed3a5115ff564146fb16c851cfa50e49205a34d1c028c0b08190d5/
Threat name:
ByteCode-MSIL.Trojan.AgenteslaPacker
Create hunting rule
Status:
Malicious
First seen:
2021-05-28 03:53:00 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kk66iynp5u5fcfp7kzaun6ywzbi47jiojeqfungryaumbmebsdkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1170c143e22541ebce0945bd4aae52dad1cb260620a850552731d708fb405ebd
AgentTesla
3c2e9688b7d827253277d6f48dad783df52daf27324f419a8a58b3b61d94453f
AgentTesla
3d5e89a87b2845450d3d26843ae4747e8692c7f37dd13b3a49d56b3d37880a0c
AgentTesla
4fa5fc906da5080dbb40f75ff0aa9301080531e3dccaede9e9169121b5d0822d
AgentTesla
6df994f6421e241ba1e7a9429be9b804dfb3bc7f9a145256e2b48bcdec3c03f1
AgentTesla
84f139176900fbf413d74ae46ee5902350d9911a22b44be65e0a9b4dacfd9e32
AgentTesla
89444f8c0f1f3e941506f8914d357918a67d8d813115eb361754dc38c5982b60
AgentTesla
ec11b9a6145dafb16d9f1d1355b00e15171136749f5e2b59c2c8266da65be397
AgentTesla
f76bb6aa709b1aa421767e7861b85ce92c61c8bf0283614aa070c3b105fd751e
AgentTesla
f7cb0d741ef72e11cc1aa14a000f747f2b0e5902b7015288b23daeafa86826f2
AgentTesla
+ 5'423 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210531-v4226mdmbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52bde461afed3a5115ff564146fb16c851cfa50e49205a34d1c028c0b08190d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 52bde461afed3a5115ff564146fb16c851cfa50e49205a34d1c028c0b08190d5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/163579/

Comments