MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52ec1da96af76aed2f40385279d9e6ee093ab36d40a3cfc06814458f78059ae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52ec1da96af76aed2f40385279d9e6ee093ab36d40a3cfc06814458f78059ae0
SHA3-384 hash: 78a3bd94e0684d9748afa5b024192e6b2438c0412ae399a47cd8fc7dc655ead4e0e7288bf010814fc187ac2ca545d294
SHA1 hash: 176a9ef282145cc42c511450b839ce8664c8681c
MD5 hash: f7591e08f0af70852ffe2b02568e3fbe
humanhash: bacon-pasta-alabama-pluto
File name:BPCnew-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:23'552 bytes
First seen:2022-03-25 13:53:08 UTC
Last seen:2024-07-24 14:20:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:cfSPCpHKQHnSvJcLJcf9CVAz47pwEKlT:6vCcLJxN7pwRp
Threatray 77 similar samples on MalwareBazaar
TLSH T1CDB2A482E6CC1DF5E4260A715E22BE51162FBE5E94B25C5E7C4EB01506731C321B7E2F
File icon (PE):PE icon
dhash icon 11696d4580628ddd (1 x AgentTesla)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257711/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GRB.genEldorado.22771.29527.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623dc9831f20423948298651/reports/0e4e96fc-bfcf-478d-8932-a962aa7eca26/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a8ae4b2-ca15-4a15-8eb9-ce25b664fd19
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964614
Signature
.NET source code contains potential unpacker
Found malware configuration
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52ec1da96af76aed2f40385279d9e6ee093ab36d40a3cfc06814458f78059ae0/
Threat name:
ByteCode-MSIL.Trojan.Dnoper
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 13:54:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
14 of 25 (56.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=klwb3klk65vo2l2ahbjhtwpg5yetvm3nicr47qdicrcy66aftlqa._file
Verdict:
unknown
Similar samples:
0fe497b1acbeb3a024b44a626b7b12648789aa7a5c41e828d5d1d7817a7f6eab
AgentTesla
3266cc6c2a2fc1f64000b1ca849da565470cf2bf119fbe377e7ad5234756dba5
AgentTesla
35fd92f42dd1700e15f8889c73604ec0c005cd9d1d1e30adb6d439091e58f464
AgentTesla
754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f
AgentTesla
805aad97c81dea343c603fa472f65b9061c97731e3870bf5de9d8427e604e001
AgentTesla
bcca18fef46e71ff82ff342dbd50f09b9ea768edc5e328fbf85241fcf615507d
AgentTesla
d7ccb616fe7cb8a33d18db6b40c9221db0d7eab713d189306fd7e7565c5d2da8
AgentTesla
f1be4e6d3dc2c6d4ad04a512152177aea74eafcf6c17824db54ef95185915139
AgentTesla
f3de094d3b47ff5064f8163c62df41b615e851a49d1dfbd4904dc188d5234611
AgentTesla
+ 67 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220325-q7lycadfak/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
52ec1da96af76aed2f40385279d9e6ee093ab36d40a3cfc06814458f78059ae0
MD5 hash:
f7591e08f0af70852ffe2b02568e3fbe
SHA1 hash:
176a9ef282145cc42c511450b839ce8664c8681c
Link:
https://www.unpac.me/results/6a771baf-8a3a-4b2f-804e-42b4c1f481a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/52ec1da96af76aed2f40385279d9e6ee093ab36d40a3cfc06814458f78059ae0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 52ec1da96af76aed2f40385279d9e6ee093ab36d40a3cfc06814458f78059ae0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/257711/

Comments