MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d527329e8357f80cb29fda1069d67b7799a7e7b0147dc3a494bb0f80fa63152. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	5d527329e8357f80cb29fda1069d67b7799a7e7b0147dc3a494bb0f80fa63152
SHA3-384 hash:	9185c330f0d3f60261a82120242829a78509788ae862157146444bacf1090eae53f5e5ff6485ddb2745784a90cff839f
SHA1 hash:	8510e8f412709fcaf0c0ae18c8560369f64210de
MD5 hash:	fadb0834265458161b8f5eb793193b0b
humanhash:	lemon-william-fish-magnesium
File name:	YNTG7UUiZ63KVXh.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	767'488 bytes
First seen:	2023-02-21 11:18:09 UTC
Last seen:	2023-02-21 14:17:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:zYnC4OIkegET9jsIBMNjnNNOhAe/S0U3L2j7ZFdYg6VTMNnQAmvdchRlx+e9koRT:z2jTsIBMNjnNNOhAe/S0Rj1FSQNBC0Pj
Threatray	3'220 similar samples on MalwareBazaar
TLSH	T1ACF4F43D38B796D2C239FA3386D7E520B6BD80923313D959D9D61AC04F426827DCEA5C
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

YNTG7UUiZ63KVXh.exe

Verdict:

Malicious activity

Analysis date:

2023-02-21 11:19:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/19c1b6c7-85e9-4cd7-ad77-c4ec079ec05a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BumbleBeeLoader

Link:

https://www.capesandbox.com/analysis/368599/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.582.17549.5923.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f4a8a8d385ee58584e447f/reports/8eb392ba-2811-4429-828c-98a742257a7c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5d527329e8357f80cb29fda1069d67b7799a7e7b0147dc3a494bb0f80fa63152

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ceabdb37-042c-4380-acd9-72f8f2415969

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1179679

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5d527329e8357f80cb29fda1069d67b7799a7e7b0147dc3a494bb0f80fa63152/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-21 08:03:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lvjhgkpigv7ybszj7wqqnhlhw54zu7t3afd5yosjjoypqd5ggfja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95

AgentTesla

a146acfa60d74e1bba11363ac6df213b4428f642dd17b336660d87198ebdecce

AgentTesla

a352a9eca506153d30c228073b19eb566d9781c290f25e75d28157494d2d42b0

AgentTesla

affcc95b61bb0461fcd218472be113a32059cc9abef6cb88aecaaf6577634239

AgentTesla

bdf30178d213789a9a31a454653a627d3cef374e860fecbd5ff1e49ad30c6d8f

AgentTesla

ce5c147f75c354710869fde43cdc99afb90de8f43d5a0a58cd7456ade759b110

AgentTesla

d6aeb3ff89d6756a14f8a7731c4caa67fa652a5a4709c6804b94879f751a3c6f

AgentTesla

+ 3'210 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230221-nevcxagd9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

8474f9d64cc64561ce437b79b1b14e898cce1c1af484c309d919932356a0669e

MD5 hash:

0523feab6ccfcb2604169fba469c8f16

SHA1 hash:

f7a2a16a659fd96e2a6dee279a230ca36dfb169e

Link:

https://www.unpac.me/results/851cdd77-241a-4b26-b0e6-7b915d8e72d8/

SH256 hash:

94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129

MD5 hash:

874dcc6be499121b1425bfdff1f8ad46

SHA1 hash:

66f83bedc73876b77e152c604b8214bde86d965e

Link:

https://www.unpac.me/results/851cdd77-241a-4b26-b0e6-7b915d8e72d8/

SH256 hash:

e43ae27c14f7289713efc115d191ad4b32a90dacbecdb71fffac0e5906bad3a7

MD5 hash:

653730e10aabae604618925304624f97

SHA1 hash:

4f2efca7005e67a4b0a05d0259daef41d75ae0e6

Link:

https://www.unpac.me/results/851cdd77-241a-4b26-b0e6-7b915d8e72d8/

Parent samples :

619d0f22fde3e64e9a65e98b056cf63c1fe446025a9f342f780adfc8e1f456ce
96c24ab2dda4a9b356015f223dc667600f7c347a1558204965bd11d8206f6932

SH256 hash:

5d527329e8357f80cb29fda1069d67b7799a7e7b0147dc3a494bb0f80fa63152

MD5 hash:

fadb0834265458161b8f5eb793193b0b

SHA1 hash:

8510e8f412709fcaf0c0ae18c8560369f64210de

Link:

https://www.unpac.me/results/851cdd77-241a-4b26-b0e6-7b915d8e72d8/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5d527329e835/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5d527329e8357f80cb29fda1069d67b7799a7e7b0147dc3a494bb0f80fa63152

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.