MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e
SHA3-384 hash: a8428422b2b7d57e8fd2b7d56f60a2a9eda699d3c9d6bbc46df926749914c984ad1596b442b3c0b4b00a368f5d7881c8
SHA1 hash: b45a18684f4b62a40a271594cb54ed0a27d00d85
MD5 hash: 788155d24cccf7212342e68c442e6937
humanhash: purple-violet-green-utah
File name:SecuriteInfo.com.Win32.PWSX-gen.7147.18927
Download: download sample
Signature AgentTesla
Create hunting rule
File size:652'288 bytes
First seen:2023-07-17 03:27:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:lyJESZiEGjslqRISR++NEtfzzPEDMMLnbKxS8mRtRJc0PDcarZ9NMKrJLUIUHFb0:lYEQGQIut7DVWmyTcmDrrZHybFlAqF
Threatray 4'897 similar samples on MalwareBazaar
TLSH T190D44C0B39D02A57E42E427E107C6A6CEAEDE61D423FD928342DC293B2F664C0D5D75B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.7147.18927
Verdict:
Malicious activity
Analysis date:
2023-07-17 05:20:47 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/56929643-96b1-439b-86be-c5e846ef0bb2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/422094/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7147.18927.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/64b4b544f52c3e1a0149a3d8/reports/b09c9e13-35da-45ac-9b08-82045cd8243c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4e8bfc6e-f6d0-4662-b974-4e920b776704
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274180
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e/
Threat name:
ByteCode-MSIL.Trojan.Formbookinj
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 03:28:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uxrbiexs3urnaglrkgclk6m4cjqhraejyytitn5uql3gtwfqfpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0aea55a753fc5e090556cab151517684fc4526f2fdf65523abea2853ad11ba3c
AgentTesla
221cbe3d9337980d54b25da354e9668353bdce5fc307905821617dc767265d90
AgentTesla
6b931eba421ceaec90cb942759c2ed28919f648a91f8f28985f3dd6d8df4044c
AgentTesla
71626f4c825903dc56b7df19096cf84ae800ce19aa6e02f23d72fe847eb3cec1
AgentTesla
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309
AgentTesla
bc1415731a9741b45e3cf26d00860b2e3ebff43550c7926d4dbf9ef06ad0058d
AgentTesla
c536d89faaeab45c7968c538301c21bcef38fd717f4d86d8038fe2d2fce5b486
AgentTesla
d3fa8bd6b585950b90a820e54ce4b98e306dba962498f7f098ebd811dfdc735f
AgentTesla
+ 4'887 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230717-d1bsksag5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
66486c9d1777b4ce79d7f0863281e3cb495abac296110e7612ab47c5a22f9baf
MD5 hash:
678a777c3a44e6c359cf609cde48a86c
SHA1 hash:
c56cc9dc3529af668c458c74453a71d0bc330f4e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e7987aa9-4b0f-4447-bc46-126bd33d1c83/
Parent samples :
49da4974053f09eb0c9f50c57302d450b11bcabdc48efa873a82a984b6d74d2e
d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/e7987aa9-4b0f-4447-bc46-126bd33d1c83/
SH256 hash:
6a72cda4d5ff65ab557a2d4a220aac996ace7479253e4c063c2be46681a5e94c
MD5 hash:
7eb14ed88497d0b3dce58c478a15aaa7
SHA1 hash:
7f9b5a9b91d8d7af018faa53870cf8c5e501b459
Link:
https://www.unpac.me/results/e7987aa9-4b0f-4447-bc46-126bd33d1c83/
SH256 hash:
d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e
MD5 hash:
788155d24cccf7212342e68c442e6937
SHA1 hash:
b45a18684f4b62a40a271594cb54ed0a27d00d85
Link:
https://www.unpac.me/results/e7987aa9-4b0f-4447-bc46-126bd33d1c83/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/422094/

Comments