MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5
SHA3-384 hash:	fbf123fe4bf582ee0e68b93685493e8140705b61dea6459ea86f69312abb3d3d6f02c5537d61fc2130c5862af6a8f91d
SHA1 hash:	4e3d04b2f10da1960710b5ecd832357c714c56f7
MD5 hash:	c0d89223152b5950bd09936797135a1c
humanhash:	thirteen-alpha-indigo-neptune
File name:	发票 5200549353.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	675'840 bytes
First seen:	2023-08-07 06:43:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:/+1yYQvjOQayZEc1aqvnVnufbxNhxdrY05XX1duC/ZfcZzPy:/+1AOmEeBnVu3NrVHyYJcdy
Threatray	5'515 similar samples on MalwareBazaar
TLSH	T1B8E4239930545F3BF53983F958D3E73257B5A82B2522D3288DFA56FA2432F8204D0E57
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

发票 5200549353.exe

Verdict:

No threats detected

Analysis date:

2023-08-07 06:46:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fdeec6fc-aa40-45a3-a146-6e9e37671897

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/440966/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2244.2894.677.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/906c0d29-7f11-4357-b68b-213e0bd072b2

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1286878

Signature

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-08-04 03:06:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kytckjxexz3icqsfzarknnjb3ppcyxjsthynws5sxr5y7xxb5c2q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4a6391439592ce3581a5d2c8f6195cc7e582d69222cf0e23d6bb0e8962abd1c2

AgentTesla

793e60744aa163e0da636233df2fc83f43d447cddf4a89b28ff15a0ca95e69f9

AgentTesla

7deb65a2ec42de8489a8b8283a8927b3ec8301e4297e5daadc58f172b9c289db

AgentTesla

d56f7dbd535d973bc8b14f22c58ab9c658e0bbe3f3139e7c16c619dba98ec664

AgentTesla

e5950c07075986a0e853f4e919e1c39f0e64a878ff97143a1d49ea5a4eb186df

AgentTesla

fb0533fddd270310cba6cd3a1cae5f23356a0a28cfdb85caf6dc0c41f8c19590

AgentTesla

+ 5'505 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230807-hhgnbsfc41/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

206a4e360a7a1da549bae40a64f3597ec06dde6a268e47edda6f22c1d6b6c226

MD5 hash:

854ddc2cbc2999e208c5257227ba99e4

SHA1 hash:

fcaf9edca8eed07e0b82858a406bbf33cad40499

Link:

https://www.unpac.me/results/12f49f3a-96f1-4243-aabc-be154ba6b384/

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/12f49f3a-96f1-4243-aabc-be154ba6b384/

SH256 hash:

d1674ad53607a79e287d2878b45f260ef4b54ab261a60ed463abc2f18ef30264

MD5 hash:

739f483d8035f7ab0f9e42d9e7759c8b

SHA1 hash:

a6f727e8a92060aa86a2c5005c7abf968889df4d

Detections:

AgentTesla

Link:

https://www.unpac.me/results/12f49f3a-96f1-4243-aabc-be154ba6b384/

Parent samples :

56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5
90b9761dcd25c9d5b71632aceb036e4f7c66230a1e27fcb98d9a306d2caff7ed
96df12776607bce40d6ca1c8b9e79ac9b8bc8057ddf91014599e5452896ef4e0
d2475c14cd534bca8b3a7a584900668545ed04d7f04c55c0958e05deaec4a7fc
22f66a34d2354f08b0e4924f3d619d6fa0922adda2827f7e6f588f5855e4258e
5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
65991091fbb81c3961dd91240296ae03aec2a94ef682dd194134e8cfdf69f8a4
ffa8e6e00d583ef5154e0e33f28d775858e9d71fd8e45247cec4e60e723f8f9f
64db0ce4b48466deb70395bfe2763f916c2cf1f7e967a266dc42484a02c83c1c

SH256 hash:

bf07f90895592c2e90661bf8152bffa07657223f8670287307aaa47bd4086da1

MD5 hash:

d88a5f5dcd4063bc856bf8b82f08c925

SHA1 hash:

9ede034931d2c917bcbe25dfe918860db2f389f9

Link:

https://www.unpac.me/results/12f49f3a-96f1-4243-aabc-be154ba6b384/

SH256 hash:

56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5

MD5 hash:

c0d89223152b5950bd09936797135a1c

SHA1 hash:

4e3d04b2f10da1960710b5ecd832357c714c56f7

Link:

https://www.unpac.me/results/12f49f3a-96f1-4243-aabc-be154ba6b384/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 56262526e4be76814245c822a6b521dbde2c5d3299f0db4bb2bc7b8fdee1e8b5

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/440966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample