MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52eaa2efa586bbcabbba08c6bb8f4b139ef7133c3f8fd1e5df73b19412b73acd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	52eaa2efa586bbcabbba08c6bb8f4b139ef7133c3f8fd1e5df73b19412b73acd
SHA3-384 hash:	90170c3546f981f2192a3409d32148ad9929f7dfe1a9291f316d14799f1bf681f2f211a81e61710c16ebb8c246c4f95b
SHA1 hash:	9d53579e681124074b4c568d01bc3a405d55bd89
MD5 hash:	927fab3ec236804c2a332e74eebfc470
humanhash:	oregon-oklahoma-seven-tennessee
File name:	New Inquiry015 02-12-2020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	669'696 bytes
First seen:	2020-12-03 08:57:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:R1YN3HcZOc5y2m7VVVwBjc4XQaEKPoOXa8Bv+nSXcJygY022qPVGNbTuMuKBD7h2:RCGtm7VVWVc47EKxR1XHgY0KST0sDd
Threatray	1'648 similar samples on MalwareBazaar
TLSH	DFE46C39AF59262AF53AA77CC1B02055A7ED6793B307CDDD2CB201C90B63E029ED152D
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/106562/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42726.22989.11807.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/554468

Signature

.NET source code contains very large strings

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/52eaa2efa586bbcabbba08c6bb8f4b139ef7133c3f8fd1e5df73b19412b73acd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-03 07:43:05 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=klvkf35fq254vo52bddlxd2lcoppoez4h6h5dzo7ooyzievxhlgq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

43456ccf78231f448437d34b0d8e0f539fe2713743928d8bba119207b8b5f22a

AgentTesla

7d47aae61d6960e7900bb2102b481114a8d948f13cc404082f376786e88959ad

AgentTesla

80d2742ad2aa2b84c5c32278be4a819400da0135ce52389e6ad711539d6ab9d6

AgentTesla

8642bef0da90b39eff7e2f28570d28aa2a9aaabcd181c9f64bcfbdd331a606f1

AgentTesla

9814c6959d79cae63bbff31a0c677e4eefade63e272f68047a54e715ddb445a7

AgentTesla

a12f642139a7cfe0891e40b83400cae049a06c959f742700d47f096ccaa32736

AgentTesla

c4cfc6eb77f1095f81578053857d14d9597a3c13aa35654fc2742989862ce6e8

AgentTesla

ced74986e807f1b4dd969d4811e20b516b11b39d0d8681ebadf9123a6de30b7c

AgentTesla

f9e0e3eb49ce4d6156f30deddef92e6b750d24ccafff82afdbe842244894c156

AgentTesla

+ 1'638 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201203-k1b2tcnve6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Unpacked files

SH256 hash:

52eaa2efa586bbcabbba08c6bb8f4b139ef7133c3f8fd1e5df73b19412b73acd

MD5 hash:

927fab3ec236804c2a332e74eebfc470

SHA1 hash:

9d53579e681124074b4c568d01bc3a405d55bd89

Link:

https://www.unpac.me/results/36fbc856-bf68-4fb1-82dc-6efe20adb1cb/

SH256 hash:

9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f

MD5 hash:

7476e403eef14ac403c63c7279831780

SHA1 hash:

8387f558e30dc115987ac2b5c174a41302471abf

Link:

https://www.unpac.me/results/36fbc856-bf68-4fb1-82dc-6efe20adb1cb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/52eaa2efa586bbcabbba08c6bb8f4b139ef7133c3f8fd1e5df73b19412b73acd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/106562/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample