MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c52ace76d94d2c7687a8c4bd529f86c343c05cc388df75432736b1c384f8677e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 8
| SHA256 hash: | c52ace76d94d2c7687a8c4bd529f86c343c05cc388df75432736b1c384f8677e |
|---|---|
| SHA3-384 hash: | 7005358dba2cdee546732056272ad6bab30e30e8e08820a6421d094ce6d0e6b1fc13e97eeb3bde8252766e4a18d1139e |
| SHA1 hash: | 7768c676e75565d2c09505bab2f765bc583c1170 |
| MD5 hash: | 2e14c53a16fd3117aa1e940c69679c23 |
| humanhash: | network-thirteen-louisiana-apart |
| File name: | file.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 4'023'456 bytes |
| First seen: | 2021-01-15 06:13:22 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger) |
| ssdeep | 768:CyvkCrYIxS7gsxQbz7nKmuBNhYEPSL6HSeJJcZGgd5jFjKtZ/6eSwsIXNWxQhwbw:3kCrQ7pxQv7n67h3PtSxZGgPHa |
| Threatray | 45 similar samples on MalwareBazaar |
| TLSH | 2C160CD6DDE391C986278B0A62E427EEC6B5277210DDBD2F5C3907576683B310B24E32 |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 06:19:31 UTC
Tags:
evasion trojan rat agenttesla
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Changing a file
Using the Windows Management Instrumentation requests
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a window
Connection attempt
Sending an HTTP POST request
Reading critical registry keys
Creating a file
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Stealing user critical data
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Agent Tesla AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Signature
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Agent Tesla keylogger
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-01-15 06:14:06 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Similar samples:
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
10/10
Tags:
persistence spyware
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
c6b341c14a06a036858cb91ab50f3858ded55cc1dae5d4aed8f8f15c39609227
MD5 hash:
079c508099a2c70c06e966e3418000e9
SHA1 hash:
bdaecadc92a612f3495f27fa7e445b1bb1d8b2f0
Detections:
win_agent_tesla_g1
SH256 hash:
91c538ed736bb04faa42c2dd86bda3065a1e6d7a851ff9ea5cf40976f4590d0b
MD5 hash:
7528243adbc8062a2a0b5e6729f258c5
SHA1 hash:
a684975cfe2742a08b2915b6a634e60e03e1b31a
Detections:
win_agent_tesla_g1
SH256 hash:
cfb612983c2299bab86ca33f5f520ca12d69799b7cea659bda10af11354041c1
MD5 hash:
028d73ba53ef130942b8cd3d29d52fb8
SHA1 hash:
307407d4056cf99c6f438f86667cb47a3eb65a29
Detections:
win_agent_tesla_g1
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
SH256 hash:
61e70f96e592cef5c447064bed68d7673039da3afb390258701386dd28e1d883
MD5 hash:
531d72ab42c8d211e054fcfe1ac2247f
SHA1 hash:
052aedfeab42fa84ac00f6b52a0a7ab961bbdbef
Detections:
win_agent_tesla_g1
SH256 hash:
166a93cdbd2ffc5dbad13b2239a6d62176377162f70536e58e29b9892fca2672
MD5 hash:
e8d3ecce9c9d36fd98377636c491d4ad
SHA1 hash:
00a5e613b88707f298a3f603fff457cc7a0b5d3f
Detections:
win_agent_tesla_g1
SH256 hash:
c52ace76d94d2c7687a8c4bd529f86c343c05cc388df75432736b1c384f8677e
MD5 hash:
2e14c53a16fd3117aa1e940c69679c23
SHA1 hash:
7768c676e75565d2c09505bab2f765bc583c1170
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.