MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c
SHA3-384 hash: 13477a91a2e2cdabbb212dc466877b27bd0994dd757fa7abfa08290a407452ce4560967e608cb9583ad5ee5eab6dad9d
SHA1 hash: 391de0a18f10ad6634e79aee0116888565b6729f
MD5 hash: 65fd7d538fed73bce9ec81e28957e57b
humanhash: bulldog-batman-mike-spring
File name:946943.xll
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'584 bytes
First seen:2024-06-11 18:51:13 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
ssdeep 48:ZvtCcUDxwrlXFIQcqcn+dxD1IguBA2sv8tBLZo:Z1CcSxwVFIJW1e79w
Threatray 5 similar samples on MalwareBazaar
TLSH T18C711EC568D376F9CF51D2318AA3D326E06735280AF2C92143502979EC35B14766CD49
TrID 33.4% (.EXE) OS/2 Executable (generic) (2029/13)
33.0% (.EXE) Generic Win/DOS Executable (2002/3)
33.0% (.EXE) DOS Executable Generic (2000/1)
0.4% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:AgentTesla xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c.xll
Verdict:
Malicious activity
Analysis date:
2024-06-11 19:14:09 UTC
Tags:
opendir discord exfiltration stealer agenttesla
Link:
https://app.any.run/tasks/902b5e28-9b87-4a95-95e4-ec31befcccb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Downloader-9939983-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66689dc6a439c6d6b087811bwin7simulatehigh_evasion
Tags:
Static Stealth Dldr
Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fasm packed persistence
Link:
https://www.filescan.io/uploads/66689cd849a1c830626695c6/reports/59ca940c-836b-4762-bc79-6bd93f217024/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1455463
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1455463 Sample: 946943.xll Startdate: 11/06/2024 Architecture: WINDOWS Score: 52 18 Multi AV Scanner detection for submitted file 2->18 20 Machine Learning detection for sample 2->20 7 cmd.exe 3 2 2->7         started        process3 process4 9 EXCEL.EXE 135 61 7->9         started        12 conhost.exe 7->12         started        dnsIp5 16 s-part-0015.t-0009.t-msedge.net 13.107.246.43, 443, 49754, 49755 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->16 14 splwow64.exe 9->14         started        process6
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-06-11 06:28:33 UTC
File Type:
PE+ (Dll)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atyieqtww4b63uxm7t73u3mwnzarmh527yovvqjlfmqk3uq77zwa._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c
AgentTesla
58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d
AgentTesla
94b146aebc29c43c227467947ab95df41ffe9795d131c0e16ec54edf232a685a
AgentTesla
a9fa442c7e56486753d03f2420e970df0abd9914e4686a24eeb3e55feb458d08
AgentTesla
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/240611-xh39naxdjh/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Loads dropped DLL
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04f0824276b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/04f0824276b703edd2ecfcffba6d966e41161fbafe1d5ac12b2b20add21ffe6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SUSP_ENV_Folder_Root_File_Jan23_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious file path pointing to the root of a folder easily accessible via environment variables
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments