MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972
SHA3-384 hash: 494eac6975864f7260432595552952bcb7850c21ed971c98fa52c65ab6a05d9c35252afb23b402c9d2fa7e6b55dc628d
SHA1 hash: ff4b89f08a7c8ce0a87e504719389c0e8278675e
MD5 hash: b488be4699206f2c9c43c007f190816f
humanhash: red-aspen-oven-winter
File name:b488be4699206f2c9c43c007f190816f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:818'688 bytes
First seen:2023-12-08 07:01:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:GwL9yKE6jD/62iNG5nF82rkDnge2LyRkkUsHnKQKAhkjJhJzsotn5TvNzbvZjC:FAKtD/61IU0e2slUsqQWjJzzsonBhjC
Threatray 3'583 similar samples on MalwareBazaar
TLSH T1E405022072DDAB0AE9BE43F90A61D20057B67D2E5531D32C2DC271CF2676F509AA1F63
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463479/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6572bf6b3636548f37426c35/reports/cf467a63-66f7-4336-b428-ea1068a1504a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f702104a-735e-4e47-adba-a9f39c6cb343
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356002
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-05 14:15:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2unlwsncl2r5v7nbsfebbdbte36ed6rkdx7yrlwwcx5jaj5sxfza._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac
AgentTesla
2a33dbe8548389084bc412b6d906717ed20751b2ea63d94bfff0a693a32c6ada
AgentTesla
450add1beb1f7e147fe1bad4703b3cff106ec962e8137dcc3136cf681e9293be
AgentTesla
5ca6d298c6d1b95e2d810bf3906b55355416d88c05c17d4094f87924db898c7e
AgentTesla
b3dfc07d5bc2408921c8f04ea90ef5d3b44bef78ac4ea905e338acd98f7df8de
AgentTesla
c1bf99cc27b4632a1916ca5af4d8946a38e1d29ca0cf5af7eab237c5dac930fb
AgentTesla
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972
AgentTesla
ee2cd4c4e84a33e7ffc4580229719e10f89a1be406aaacdedcba45b552a56f78
AgentTesla
+ 3'573 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231208-htr87sba9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6670271579:AAHln7Op0JjSMa92pjMiSLRC0uIRAw3DqMQ/
Unpacked files
SH256 hash:
4a35390eaa5a0b63a425e13d7f9cc53c434974518588b90db938c68fd4bd4cd4
MD5 hash:
a7f90e9b2e52a930225bf7348deb9646
SHA1 hash:
fe62a037af9e65a088b98591255e075d7fdf48ce
Link:
https://www.unpac.me/results/2ded96e0-fb9f-4727-ba02-816f2c4e85e0/
SH256 hash:
45ecebe31e900d12fdbf9d500b11bfbfcfba4e171340cfce5210b06111af587b
MD5 hash:
835cafd9c61da0f7bd01ebab7c5be2ca
SHA1 hash:
e18d573dfbae232431012ab4447e5ddc34ff678b
Link:
https://www.unpac.me/results/2ded96e0-fb9f-4727-ba02-816f2c4e85e0/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/2ded96e0-fb9f-4727-ba02-816f2c4e85e0/
SH256 hash:
646099e4feed258c9f5f85b6368a82fed02aa987deffb6e9e366e736a8d8e3ad
MD5 hash:
aad6ea95b550219c09074d5a8a7ccc73
SHA1 hash:
756006ff1eecfa7b6a68bdc871349fafe3825a21
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/2ded96e0-fb9f-4727-ba02-816f2c4e85e0/
SH256 hash:
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972
MD5 hash:
b488be4699206f2c9c43c007f190816f
SHA1 hash:
ff4b89f08a7c8ce0a87e504719389c0e8278675e
Link:
https://www.unpac.me/results/2ded96e0-fb9f-4727-ba02-816f2c4e85e0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d51abb49a25e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2738684/
Cape
Cape
https://www.capesandbox.com/analysis/463479/

Comments


Avatar
zbet commented on 2023-12-08 07:01:50 UTC

url : hxxp://198.12.81.254/303/wlanext.exe