MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
SHA3-384 hash: 53204efbb6a65419dce336c673d613b4d1b9697059cc1d2f90dbe50af90844174c876bc51e792aef1ceca38f40603333
SHA1 hash: 2d4b1ec873a68e489128bfe0b345e26d3601bc85
MD5 hash: 93df36476069ba35847c30ad26d05880
humanhash: rugby-burger-vermont-emma
File name:Oferta OFER30052023 NTV.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:627'200 bytes
First seen:2023-07-19 10:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:WmAY2kcdbL4Efqb7lsHgUtOrRu+Tjp4MT1ociOl1Rx4zxOn/olpbKOa:fN6GEfqKHgUt4vjp4ali2uQKpbb
Threatray 5'045 similar samples on MalwareBazaar
TLSH T1B5D423694DBA641BD73F2FBB100071F142991BD67115CAA25D5EF0BBEB2AB8E4C01B07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Oferta OFER30052023 NTV.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 10:40:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0423140d-ccd3-439d-a986-7a86774c717f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/424563/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68239209.11990.30135.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64b7bdbe2ad0f7418d6a2a15/reports/3a6067e3-6ab5-4135-b05a-cb357e3f9221/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a69e84f-8e35-41e4-b205-4802f40ddc66
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275854
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275854 Sample: Oferta_OFER30052023_NTV.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 4 other signatures 2->51 7 Oferta_OFER30052023_NTV.exe 7 2->7         started        11 ZaLLxAVzuZ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\ZaLLxAVzuZ.exe, PE32 7->35 dropped 37 C:\Users\...\ZaLLxAVzuZ.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp2361.tmp, XML 7->39 dropped 41 C:\Users\...\Oferta_OFER30052023_NTV.exe.log, ASCII 7->41 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 Oferta_OFER30052023_NTV.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        21 Oferta_OFER30052023_NTV.exe 7->21         started        59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 23 ZaLLxAVzuZ.exe 2 11->23         started        25 schtasks.exe 1 11->25         started        27 ZaLLxAVzuZ.exe 11->27         started        signatures5 process6 dnsIp7 43 mail.securipro.com.my 110.4.45.162, 49700, 49701, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 13->43 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->63 65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 08:37:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqrmsvdl24rzssklf6eqe3i3zs3m4a46o3kn65c5chunfhjjrn3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4179cbf147e658854400967be76ca120278fe858fa44cc24cefea7578065b2ad
AgentTesla
5afc34ba8d87868898a975c8a82a6817739d9ff294fae609b2ca293ac5e478a6
AgentTesla
82ec3f48b64379387613c3cddcdd400f095161826bac92ce3f7907dc3807a9df
AgentTesla
8faf480c1ae966b6f4f2656368ec83dca9ab004811cf330083afc56043735a5b
AgentTesla
920d519caed6fad76c8205ab38d984baccfd97405b1ca5ada793cc50140183ca
AgentTesla
e0a9d1ee5f291098090a028934842e554f4bb482a0100077d909d3005430b2ee
AgentTesla
+ 5'035 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230719-mq39hsdc6w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c
MD5 hash:
ca775551666be768a9241f43eec98b87
SHA1 hash:
fbbd937067a24c48ee5274d3fa2881a991e64f3c
Link:
https://www.unpac.me/results/8b4f4545-295b-4250-9e92-12109b0513c8/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/8b4f4545-295b-4250-9e92-12109b0513c8/
SH256 hash:
3f904659166f6b663cf24fa61597ad4acc7690b64ddcf24631df288ae94ec894
MD5 hash:
4b47c206d82a2da128c3a3fd4c8e45b6
SHA1 hash:
6e93adf7a7c9a3a8d010ecc422edccff93bf00bf
Link:
https://www.unpac.me/results/8b4f4545-295b-4250-9e92-12109b0513c8/
SH256 hash:
6f426d3f8af9a0c05c1ea42b5509f17f89e3e8ef97d940480e1ae6c8025fa288
MD5 hash:
d4bf217761a7582bbc7dfc4b47b06a0c
SHA1 hash:
0fc2959220419ef3c713975e161a5e744a9ab967
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/8b4f4545-295b-4250-9e92-12109b0513c8/
Parent samples :
0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
SH256 hash:
0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
MD5 hash:
93df36476069ba35847c30ad26d05880
SHA1 hash:
2d4b1ec873a68e489128bfe0b345e26d3601bc85
Link:
https://www.unpac.me/results/8b4f4545-295b-4250-9e92-12109b0513c8/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0422c9546bd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/424563/

Comments