MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb
SHA3-384 hash: 20433f3d815945d101a4b1fef22d43e885589513fc6c96249610ef2117b620e6bf5c8b62db9208f03599fcbc7d2367b9
SHA1 hash: 64153f71174228359cdf950a32154c463144328a
MD5 hash: 59ea9eba616a2ead76a42810ff879072
humanhash: missouri-romeo-two-winner
File name:SALE ORDER_28-08-2023.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:871'936 bytes
First seen:2023-08-30 18:43:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:FlVbiN+fBSX+P8fGnnA4gwknxmKYDM+CeL:FlVbiN2BZP3nnA4g3nFQMq
Threatray 5'553 similar samples on MalwareBazaar
TLSH T19505E02526F84B2AD4BF87F591A043040377B513517FF36A89C064DB2EB2F824A5B79B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e38d0d484a32b4c9 (3 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SALE ORDER_28-08-2023.exe
Verdict:
Malicious activity
Analysis date:
2023-08-30 18:44:42 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/2f6bce40-e944-4bc1-bb10-7cad37c4ee0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445372/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.Siggen2.4552.30322.29791.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64ef8df47444d2eb09f37ad0/reports/afd0d846-2576-4db6-8a71-be607afffe3c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7d9addc-e86a-4d6f-a750-329563fd586e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300597
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 18:41:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=km7n6bwsuo2p7jkuex3gmdkwungunxk25eewp33odhgjemsold5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08552fc7c1fcdb754d81dad78184ad191d0585b970a1b633cef88ce63804947e
AgentTesla
1ba27db394b7c6325c35378c4663a93bdf20cca51d59f02778ad4f90436d7739
AgentTesla
22f66a34d2354f08b0e4924f3d619d6fa0922adda2827f7e6f588f5855e4258e
AgentTesla
2ee41490283fad1457d4870ff08f65cf2a6fd2ff0632fae5e365170824111f36
AgentTesla
37652ff04530efadac718f5f9666c0d51756496e34910d135fe1ea2d78abf362
AgentTesla
48344ddf6064b91600662af7a6b0c9d66b4ed354bd50839c360c21d62d49e63b
AgentTesla
4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
AgentTesla
5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
AgentTesla
be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937
AgentTesla
d2475c14cd534bca8b3a7a584900668545ed04d7f04c55c0958e05deaec4a7fc
AgentTesla
+ 5'543 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230830-xdf9bshb5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
37652ff04530efadac718f5f9666c0d51756496e34910d135fe1ea2d78abf362
MD5 hash:
f85ba10fda0894ff79000ae842fba463
SHA1 hash:
b7d5d0e57ecd8560b7b182a708f04d5194eda9bd
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/4d831ba6-55cc-49da-850c-b6c1f1e83a82/
Parent samples :
37652ff04530efadac718f5f9666c0d51756496e34910d135fe1ea2d78abf362
48344ddf6064b91600662af7a6b0c9d66b4ed354bd50839c360c21d62d49e63b
533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb
SH256 hash:
dcd6ce1dcc84781e3df1ea967b6e95f40d630cfa2087f3290129e08396df643d
MD5 hash:
29e674edfefc3778d818b9685b6cd7fc
SHA1 hash:
b32bf17ff76f82caa95d6812c7c71c26705d98c8
Link:
https://www.unpac.me/results/4d831ba6-55cc-49da-850c-b6c1f1e83a82/
SH256 hash:
e8d399db8c9330cff7ee73eb6a76c93e19cbf190d414773227f5a70a3f8e6613
MD5 hash:
dcd5e01fc044305a42b499363a987837
SHA1 hash:
99492aacf744f389be816b8104c0b76a30e57f41
Link:
https://www.unpac.me/results/4d831ba6-55cc-49da-850c-b6c1f1e83a82/
SH256 hash:
ebaf28744bfa555219d56440db49703efd0e1757e3e219eef119725b4f0090d5
MD5 hash:
13574c506380e6ec0da25e442099b8e4
SHA1 hash:
9900c86a1bb5a605e34de9a4167aa3b93225ec33
Link:
https://www.unpac.me/results/4d831ba6-55cc-49da-850c-b6c1f1e83a82/
SH256 hash:
533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb
MD5 hash:
59ea9eba616a2ead76a42810ff879072
SHA1 hash:
64153f71174228359cdf950a32154c463144328a
Link:
https://www.unpac.me/results/4d831ba6-55cc-49da-850c-b6c1f1e83a82/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/533edf06d2a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0e21b3c48f1594c4a4409b027bc927545f82cd55b35020cc4d24a777ca5bab8f

AgentTesla

Executable exe 533edf06d2a3b4ffa55425f6660d56a34d46dd5ae90967ef6e19cc92324e58fb

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0e21b3c48f1594c4a4409b027bc927545f82cd55b35020cc4d24a777ca5bab8f
Cape
Cape
https://www.capesandbox.com/analysis/445372/
  
Dropped by
MD5 31ea0738629b2cf180f56851b44ec142

Comments