MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f
SHA3-384 hash: dd8778a4755fb1966797dc94d0353a9c8d5e1718fd6d3754f355da0ac2b2e139d4fcec7f324d432304877c7cd8de280a
SHA1 hash: 259d04bceec6c36e1d00f5cee32cc0e71c849d4a
MD5 hash: 015178199238da40758768ae286839e5
humanhash: emma-foxtrot-sink-four
File name:ORDER REF8O0579790-2023.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:589'824 bytes
First seen:2023-07-10 09:37:47 UTC
Last seen:2023-07-10 10:09:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:cmxjOdKLoRJ7EktMLDEoNHgSN4f0Ktzce0/O9fz:udWWJntMLOLjCW9L
Threatray 990 similar samples on MalwareBazaar
TLSH T151C4593C0CBC5E23C070D6B68F95C461F558C5EB32A28F7667C79A91461EA0229CBE7D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER REF8O0579790-2023.exe
Verdict:
Malicious activity
Analysis date:
2023-07-10 10:39:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87198b98-402a-468c-913e-1ce4f8df8d26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/413468/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67958229.27955.811.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64abd198ef1403cd7500e5f3/reports/1ccf621d-5624-458d-b407-a5e3954490a9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9432ddf3-06f1-430b-aaaf-7e281bb8e51c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269600
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1269600 Sample: ORDER_REF8O0579790-2023.exe Startdate: 10/07/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Sigma detected: Scheduled temp file as task from temp location 2->42 44 8 other signatures 2->44 7 ORDER_REF8O0579790-2023.exe 17 7 2->7         started        12 aCHDxNqOF.exe 3 2->12         started        process3 dnsIp4 32 api4.ipify.org 64.185.227.156, 443, 49708 WEBNXUS United States 7->32 34 api.telegram.org 149.154.167.220, 443, 49709, 49710 TELEGRAMRU United Kingdom 7->34 36 api.ipify.org 7->36 26 C:\Users\user\AppData\Roaming\aCHDxNqOF.exe, PE32 7->26 dropped 28 C:\Users\...\aCHDxNqOF.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmpEB5B.tmp, XML 7->30 dropped 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->46 48 May check the online IP address of the machine 7->48 50 Tries to steal Mail credentials (via file / registry access) 7->50 56 4 other signatures 7->56 14 powershell.exe 21 7->14         started        16 powershell.exe 21 7->16         started        18 schtasks.exe 1 7->18         started        52 Multi AV Scanner detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 file5 signatures6 process7 process8 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 01:27:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
28 of 38 (73.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpijtte2gm7h7bzkqyyo45jb55p7ooh3kn2xp7kgvzeg5ixwrfpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03659d0acded7fe7db7daf0c7179d37e20cf38c5db6d5f2942bdcc2236cd497f
AgentTesla
0aea55a753fc5e090556cab151517684fc4526f2fdf65523abea2853ad11ba3c
AgentTesla
6016b69e0267c1d95bdc8d1b685bedd1c0bef182fd197e3ee6f1753b8ba59eea
AgentTesla
7a4d39a7259028f1b42a0eff7414a273057dc2b880108d3152c5b20e02c6a407
AgentTesla
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
AgentTesla
c70291d066509c793d856441dcc58925289bbd828b069cf6a656cbc67d157465
AgentTesla
d60d94a1edcdab800f81abe6f72248469547a1b55f89cd872acda4cc6d7dee61
AgentTesla
d9ad2df08f75b265cb1865f6f3ba322488b69ab7fa1ce94ca509b27ec1c10129
AgentTesla
e81901a970e6242560a0a44bc37bfa54a19174920f1f1ea032aeecc2008f2884
AgentTesla
f4d6855474eaf9cf34a5f7b168b05bf88f174935f57104378d3bc5ac0db64430
AgentTesla
+ 980 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230710-ll45kshf68/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6217300642:AAEzEYz1TGioTKCP9A3FakpN8zVU2uG_u8w/
Unpacked files
SH256 hash:
1a5c70a3c304b6795276a16244b292a13725ef93a05a49bcc9cfd1e617275e3c
MD5 hash:
3e8baf11891964b8adf92d41a8ad55c2
SHA1 hash:
bd211672166ce540f427ab477b89be33c00e07d2
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
Parent samples :
9160d5bf9da57b8baa00455a4db770d895f83250f6e707d3437622a2e42dda60
acb20554d68465b3b3119363102d14b65d6cb977835b7e7ad02aa3aa0c6cad56
53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
c501d80f626f5b3bd8f9170a73d4711f8346ab34af8fa6a65663fa8f17d39b5b
MD5 hash:
1339fbeca2db713dae5f25240e3120a1
SHA1 hash:
190bda98562fb97dbf98dcb4b0e82a20cf7da4a6
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
1a5c70a3c304b6795276a16244b292a13725ef93a05a49bcc9cfd1e617275e3c
MD5 hash:
3e8baf11891964b8adf92d41a8ad55c2
SHA1 hash:
bd211672166ce540f427ab477b89be33c00e07d2
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
Parent samples :
9160d5bf9da57b8baa00455a4db770d895f83250f6e707d3437622a2e42dda60
acb20554d68465b3b3119363102d14b65d6cb977835b7e7ad02aa3aa0c6cad56
53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
c501d80f626f5b3bd8f9170a73d4711f8346ab34af8fa6a65663fa8f17d39b5b
MD5 hash:
1339fbeca2db713dae5f25240e3120a1
SHA1 hash:
190bda98562fb97dbf98dcb4b0e82a20cf7da4a6
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
1a5c70a3c304b6795276a16244b292a13725ef93a05a49bcc9cfd1e617275e3c
MD5 hash:
3e8baf11891964b8adf92d41a8ad55c2
SHA1 hash:
bd211672166ce540f427ab477b89be33c00e07d2
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
Parent samples :
9160d5bf9da57b8baa00455a4db770d895f83250f6e707d3437622a2e42dda60
acb20554d68465b3b3119363102d14b65d6cb977835b7e7ad02aa3aa0c6cad56
53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
c501d80f626f5b3bd8f9170a73d4711f8346ab34af8fa6a65663fa8f17d39b5b
MD5 hash:
1339fbeca2db713dae5f25240e3120a1
SHA1 hash:
190bda98562fb97dbf98dcb4b0e82a20cf7da4a6
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
1a5c70a3c304b6795276a16244b292a13725ef93a05a49bcc9cfd1e617275e3c
MD5 hash:
3e8baf11891964b8adf92d41a8ad55c2
SHA1 hash:
bd211672166ce540f427ab477b89be33c00e07d2
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
Parent samples :
9160d5bf9da57b8baa00455a4db770d895f83250f6e707d3437622a2e42dda60
acb20554d68465b3b3119363102d14b65d6cb977835b7e7ad02aa3aa0c6cad56
53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
c501d80f626f5b3bd8f9170a73d4711f8346ab34af8fa6a65663fa8f17d39b5b
MD5 hash:
1339fbeca2db713dae5f25240e3120a1
SHA1 hash:
190bda98562fb97dbf98dcb4b0e82a20cf7da4a6
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
SH256 hash:
53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f
MD5 hash:
015178199238da40758768ae286839e5
SHA1 hash:
259d04bceec6c36e1d00f5cee32cc0e71c849d4a
Link:
https://www.unpac.me/results/0e325fda-4457-4f2c-91c2-2db7c2268811/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/53d099cc9a33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 53d099cc9a333e7f872a8630ee7521ef5ff738fb537577fd46ae486ea2f6895f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/413468/

Comments