MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc
SHA3-384 hash: 5324ec899aa20a712d54d70212289af4960399d264a46ace130a89eafd757157e92c1e1a2f652498d84ac454bbfc10a3
SHA1 hash: b3883a90173d28154794ac430fec790716bcc0cb
MD5 hash: a91e329eddf0be4953e2a6e8900f0c0b
humanhash: salami-paris-violet-quiet
File name:Order 51897.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:145'424 bytes
First seen:2020-11-26 08:46:06 UTC
Last seen:2020-11-26 10:46:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:kaenErB8OD+fjKiIdzN9nRNyrG2/B/xwMfxRSGapAUfY:V5rB8OD+fOiIdBsyAfIGap8
Threatray 1'518 similar samples on MalwareBazaar
TLSH F6E3730C71B87C52E5F41734665AA0EF12E171842E2182E6F09DAEEDDDD31E18B3F992
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail203.livehostsupport.com
Sending IP: 101.100.215.87
From: Tina Larosa <Admin@anjappar.com.sg>
Reply-To: Tina Larosa<hicoc@zol.co.zw>
Subject: Purchase order (PO #5693112)
Attachment: Order 51897.gz (contains "Order 51897.exe")

AgentTesla SMTP exfil server:
mail.gayaceramic.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105627/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Sending a TCP request to an infection source
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547955
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323079 Sample: Order 51897.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 58 pastebin.com 2->58 68 Antivirus detection for dropped file 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Yara detected AgentTesla 2->72 74 8 other signatures 2->74 8 Order 51897.exe 24 7 2->8         started        13 Order 51897.exe 2->13         started        15 Order 51897.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 62 pastebin.com 104.23.99.190, 443, 49724 CLOUDFLARENETUS United States 8->62 64 hastebin.com 104.24.127.89, 443, 49710, 49748 CLOUDFLARENETUS United States 8->64 52 C:\Users\user\AppData\...\Order 51897.exe, PE32 8->52 dropped 54 C:\Users\...\Order 51897.exe:Zone.Identifier, ASCII 8->54 dropped 56 C:\Users\user\AppData\...\Order 51897.exe.log, ASCII 8->56 dropped 76 Creates an undocumented autostart registry key 8->76 78 Creates autostart registry keys with suspicious names 8->78 80 Creates multiple autostart registry keys 8->80 82 2 other signatures 8->82 19 powershell.exe 12 8->19         started        22 powershell.exe 10 8->22         started        24 powershell.exe 8 8->24         started        34 3 other processes 8->34 66 104.24.126.89, 443, 49746 CLOUDFLARENETUS United States 13->66 26 timeout.exe 13->26         started        28 timeout.exe 15->28         started        30 timeout.exe 17->30         started        32 timeout.exe 17->32         started        file6 signatures7 process8 dnsIp9 60 192.168.2.1 unknown unknown 19->60 36 conhost.exe 19->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 08:47:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=klmbletqityhmjcm2pcxwwwihmzvi5iltzfamjdrzhto3b7cvxga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3
AgentTesla
51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9
AgentTesla
53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5
AgentTesla
65914c4a71b3670aacb5f165076d8f7f6542be80661727fb6d5d8038c9f13e4d
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
985bab9e10b690bc2c378a3bf510f89746edfda88e33a3a393bda12e6d040fdc
AgentTesla
9bad59a7b2c604957e6dc7f52dbebcaf6b240eba426bdd2e973625cdd6c50c50
AgentTesla
aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb
AgentTesla
d3083455681d65c6d3d151874554ad31b053ea89daa743f09ad2128e978999dc
AgentTesla
+ 1'508 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201126-9xlhcejdex/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Windows security modification
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
AgentTesla
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc
MD5 hash:
a91e329eddf0be4953e2a6e8900f0c0b
SHA1 hash:
b3883a90173d28154794ac430fec790716bcc0cb
Link:
https://www.unpac.me/results/ae3cfd5b-3c30-4c5a-8e77-8ee2f7d3f65e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 0352c74ed40bb09d13e6dcaa5141a979e22dbc8b6ca3370dfd6a3e5afeb8bfc9

AgentTesla

Executable exe 52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc

(this sample)

  
Dropped by
MD5 922c9858579018eca2c010a14b3b4d52
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105627/
  
Dropped by
SHA256 0352c74ed40bb09d13e6dcaa5141a979e22dbc8b6ca3370dfd6a3e5afeb8bfc9

Comments