MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b
SHA3-384 hash: 9cf47f0fdcb63a4274d026679e618a34fa713da6abdfb9c8f98049f197be604b1fdf4bbbf4743a593b973990c82543f3
SHA1 hash: 51ace356a871e5831eab17758ff982130f542ed1
MD5 hash: ecfa344adc08c80b1717abc337753e9b
humanhash: mockingbird-muppet-connecticut-uniform
File name:SWIFT COPY MT103.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:599'040 bytes
First seen:2023-08-17 05:56:47 UTC
Last seen:2023-08-17 08:39:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:C7EYqCDl+CDfeY7oiNG3bHfiBmg54cZMl3OXIcDpAafwYaeMZ0U:43v7oi83bHfag3O4e2afwYFy0U
Threatray 710 similar samples on MalwareBazaar
TLSH T1C4D40220733DAF1AE87A4BFB0864619507F57B276531E30D4ED2A4DA655EF800E81F2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SWIFT COPY MT103.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-08-17 05:58:38 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/32dc1a33-4779-4d96-8f8f-f0eee87a2f13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443133/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64ddb6b0b3ff67c5573b3b9b/reports/c4bc2c0f-a930-492e-9c88-7bcd27f780d6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67d84226-637e-4ceb-8475-c1359a2f60eb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292581
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajdci2yukltdwhxkpkj7opu637pf4g2mihjs2rhkcafkbot5jm5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
AgentTesla
255169d7b1e38899a7ab422e4c44cf11b39b0259144178e24b437cb864674a4d
AgentTesla
294729ec196ae05dac756fc559dd4acbbb9368486901157424a0d71354018b60
AgentTesla
4905116d90f4b6b08798705b2bce585c9c17e8ebb83cc17b998265e2ceb97525
AgentTesla
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
AgentTesla
754d1ba349e7f1633d9a6ee33497c5543aeb8710e70e89e799368d00b6e7062a
AgentTesla
78fedb4b5349e928c359cdbc4e5b0e106ce84a0ee729538e9a28795c5c8fea4e
AgentTesla
8ebc8abe7965da06078b418ac65d4b77c0dc069be320025034c583041d971df2
AgentTesla
8fea022b2f3c3f6f97a8c4ebe93fe862fb731fa82f8d23ac8cd11c21a4824041
AgentTesla
d5ed9504812940d2447bb851ae8bb2467a1578b4554b52bac7654ca62d9e04c1
AgentTesla
+ 700 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230817-gnk29sff39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5752794370:AAGHbBIUSUvwQW5dpdi3bNZyPbHwpEPD5r0/
Unpacked files
SH256 hash:
320a1592cc89d3e8e22c43045166d8d942dc259d963b2ea0a4614f259961090f
MD5 hash:
ba6951d2e0044a4902364b2e7a1378db
SHA1 hash:
cb6a1460aa8d8c0b698c40ebbcbd5843e0933298
Link:
https://www.unpac.me/results/36a00e4f-1f7f-45a9-ae37-e57d30766c37/
SH256 hash:
c3062dae9f9438eef148f1e7518b7f10d7bbe294d6d60dd0c3c16058c8be5d41
MD5 hash:
cef584fa8a5b62e4ecb231b3a4ae17f6
SHA1 hash:
b913140c163cf97c6d50746ec6eef293bb4a2044
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/36a00e4f-1f7f-45a9-ae37-e57d30766c37/
Parent samples :
c0a788ce111b87d5e5861b89112f90c354fb396b4ecc9403b04e22660a180cce
0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/36a00e4f-1f7f-45a9-ae37-e57d30766c37/
SH256 hash:
598a766b26fc39c1092e2f20cee1f42df6d6049d618ac5d4d331c646ab6a8b47
MD5 hash:
00c960e10d544bd0961a993c3c6dbbe5
SHA1 hash:
04018db21d1b12800f1bc413b90ccb3264955bcb
Link:
https://www.unpac.me/results/36a00e4f-1f7f-45a9-ae37-e57d30766c37/
SH256 hash:
0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b
MD5 hash:
ecfa344adc08c80b1717abc337753e9b
SHA1 hash:
51ace356a871e5831eab17758ff982130f542ed1
Link:
https://www.unpac.me/results/36a00e4f-1f7f-45a9-ae37-e57d30766c37/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0246246b1452/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443133/

Comments