MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4
SHA3-384 hash: b546133f12fa37cc0a405f51db6fc3999875e0a145aa8acf3324bf5a9eb8c50ba486aac92656404159c00cc00e59e27a
SHA1 hash: 3b493e1a2258a36b2b485aac7cb979ded84f2b4e
MD5 hash: 7e5be14320e86b4064e87aeba8ba7904
humanhash: gee-lemon-single-beryllium
File name:SecuriteInfo.com.MSIL.Kryptik.AGUH.tr.10395.8277
Download: download sample
Signature AgentTesla
Create hunting rule
File size:704'512 bytes
First seen:2023-09-21 02:30:24 UTC
Last seen:2023-09-21 12:53:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:2lqEisUH/Wh00FwmN1sraT25r/Ia9pnlYSaMmEGUwv4dykp:QqEWQwmN1s9AGpuSaQRLy
Threatray 5'928 similar samples on MalwareBazaar
TLSH T1ADE4231F67244F22F96C56FDB1B1320013B9E25E2992D3194FCB75F46AD3B852A48AC3
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.MSIL.Kryptik.AGUH.tr.10395.8277
Verdict:
Malicious activity
Analysis date:
2023-09-21 02:31:38 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/b58d6fa9-ae90-403f-a1f6-4cfec5603f6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450214/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.AGUH.tr.10395.8277.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger masquerade packed
Link:
https://www.filescan.io/uploads/650baae633582f234efdf1a0/reports/cbd6c17d-b8db-4191-a3e6-9904b2c54c7b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/454e61bf-bc67-408b-ad08-036af90d840f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311947
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 00:34:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 23 (78.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpd5blsto2sdt4aigvonzxkwwew4vuj5vnmipoi47i57ii3cthsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0432b62b226056b540dea3ec016a862521c3191da87f99ad5a02a1f633f9b947
AgentTesla
08552fc7c1fcdb754d81dad78184ad191d0585b970a1b633cef88ce63804947e
AgentTesla
3b6a3c3e882e95192ca46c020d2651800671e59816eb9aa0cef15cabdbfebfe7
AgentTesla
478d51fa24c69ccaa66567cbcdf3105f7c302bbba2b88db7cfee19fe84acf64f
AgentTesla
601ca85fa385ee74827fc023fc91c88964e8bc7dd8724305cddf1e089c7d372a
AgentTesla
8418ebee87a14a2ecbf14dcab28b5b311efee6d4a66cf95ff6c748e35320485a
AgentTesla
be3e33e623ee03410108daa0edf6395c15d53bb8e81102c5f6023ba2894232ae
AgentTesla
cf0dd63651cf5fa24b8b70384acd86edeb4c0eb3b47ca7684d817a76eb55eeca
AgentTesla
dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
AgentTesla
ea76d84bffa9794fe86505016d0370dd29db84fbdff79a26bfee30be32a7a0a8
AgentTesla
+ 5'918 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230921-czp35sec99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
fb302757e56765d4d9e304bc0522308a31b50d1afd444f7fbac16380220e8f03
MD5 hash:
e0b02dfeb94656ad9730ccc55c47500a
SHA1 hash:
f0c4d9c83441e6114b173526e566882cc3586f37
Link:
https://www.unpac.me/results/904bf8ca-c21b-4ff1-9784-baaf432f286b/
SH256 hash:
a8a5fa695501c7d7e1c70dc9c7aa9dbaa98d03c4ded262947811cb883c3afe7d
MD5 hash:
200ab8e098a1e41ca357d3cdcfab4bdf
SHA1 hash:
dc2a6966c9b964286e41d8cc77d57bc5e41ed216
Link:
https://www.unpac.me/results/904bf8ca-c21b-4ff1-9784-baaf432f286b/
SH256 hash:
ea82d7e23eb6eb34cdae298e3f612be3275f504ed7cc5438a7d18944b0e94aa5
MD5 hash:
4e331f561f265987fda8c37ace0b7e30
SHA1 hash:
93f390704dd5afe9fd7c8ea4e2aade78ba25f661
Link:
https://www.unpac.me/results/904bf8ca-c21b-4ff1-9784-baaf432f286b/
SH256 hash:
f18ede1829f6537e67a2f4e8cdcd767ee6b50b8dab392ecf26c75ac34e1494fb
MD5 hash:
65d61d54ea7665a497fed9699cc9e7e5
SHA1 hash:
8418bb9f902beac21267a1a60ac8431a4179defc
Link:
https://www.unpac.me/results/904bf8ca-c21b-4ff1-9784-baaf432f286b/
SH256 hash:
b97687d8fdc91921180355f4e779f2ae1817dfa964401fc272154ad2eb0e06bd
MD5 hash:
25245a2e1c8a2551c9c1b956d514bea7
SHA1 hash:
07390d9cc02a3b86b35573893fc0ac3c9bf4bb48
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/904bf8ca-c21b-4ff1-9784-baaf432f286b/
Parent samples :
53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4
d184de6dec2429ce7f49260eb15b28964af899ccd0a3721269346c29dea25ee2
SH256 hash:
53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4
MD5 hash:
7e5be14320e86b4064e87aeba8ba7904
SHA1 hash:
3b493e1a2258a36b2b485aac7cb979ded84f2b4e
Link:
https://www.unpac.me/results/904bf8ca-c21b-4ff1-9784-baaf432f286b/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/53c7d0ae5376/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/450214/

Comments