MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b
SHA3-384 hash: 4dd064d097c3cddd4c34bc19218719a17008612ba762c1cec8a54dce6482cb6045d439eefab30147b022036f2482f05f
SHA1 hash: a6876e3fdbeffbdc55db62327cd2dc328915dcfb
MD5 hash: e90237d59aa816120d3a2fe9ddb1536b
humanhash: alabama-delta-victor-batman
File name:PO_CW00402902400429.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'680'384 bytes
First seen:2024-09-23 12:35:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22a65106d3d84ea74d966fa0424a5a0c (8 x Formbook, 2 x AsyncRAT, 1 x AgentTesla)
ssdeep 49152:OAodtaG9kS2U84B+FLan9k5TRM9zlIVj6:y/B1X
Threatray 59 similar samples on MalwareBazaar
TLSH T11475CF19E3A811FCD52BC674CA55A233E6B170560B21A5CB0B99C7452FB3EE26B7F301
TrID 47.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
35.2% (.EXE) InstallShield setup (43053/19/16)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO_CW00402902400429.exe
Verdict:
Malicious activity
Analysis date:
2024-09-23 12:41:10 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/eedd8e97-11a1-4aec-9ba9-ab5408220de9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.18752.31964.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f160888aca58c2b2c6e7ee
Tags:
Infostealer Network Static Stealth Gensteal Agenttesla Lien Spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint hacktool lolbin microsoft_visual_cc packed regedit shell32
Link:
https://www.filescan.io/uploads/66f16082bb9fe02b41b595e0/reports/5bfb3229-3b7d-46c6-bbb9-0bd68ce5f0b4/overview
Verdict:
Malicious
Labled as:
Trojan.GenericFCA.Agent
Link:
https://www.hybrid-analysis.com/sample/f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e954327e-e826-4f23-88ee-919c570cd60e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1515800
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b/
Threat name:
Win64.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-09-20 12:51:19 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6u5mdhq6viwattk5ah67q7kur6tpspqc72cwffy2hobwm5oadb5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
agenttesla_v4
Create hunting rule
Similar samples:
219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f
AgentTesla
4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175
AgentTesla
bef721bdc066308d9966d0ff47fa2458141c6da5c0de46d14f8b56154dddbb4a
AgentTesla
f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b
AgentTesla
f60a33a69d22f73768dca02063c875e3dbeae931f741b05278ed908db8fc0de0
AgentTesla
+ 49 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240923-psckpazenf/
Behaviour
Modifies Internet Explorer settings
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
AgentTesla
Verdict:
Malicious
Tags:
agent_tesla
YARA:
n/a
Link:
https://app.threat.zone/submission/ae4309db-9816-410b-bae3-df19ada576a6
Unpacked files
SH256 hash:
f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b
MD5 hash:
e90237d59aa816120d3a2fe9ddb1536b
SHA1 hash:
a6876e3fdbeffbdc55db62327cd2dc328915dcfb
Link:
https://www.unpac.me/results/ab7f58fd-02a5-47bc-8469-00f84abaa9cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolIo
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments