MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a
SHA3-384 hash: 475ba1830d655d6f7a13e67cc5b2083dcee794991b40f88cc5be6f0b562440b56b205dce1b82a977ec63e74b67c443d8
SHA1 hash: b5839108a8a8084a63926501f9924e4ed273ba78
MD5 hash: 3ff7237b618af4205470c95decc654d1
humanhash: idaho-social-ohio-charlie
File name:Payment Copy (Swift-TT).xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'902'528 bytes
First seen:2023-10-24 08:57:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:aW05O2l2xlrqqQyY0mh5HFksIrfFyld+EhziNeBHT:a/59l2hmh5HesIrfFyld+EhziUpT
Threatray 744 similar samples on MalwareBazaar
TLSH T14CD51A037A8AC9A2C1441737C5E7C4F40364DF616223E61BB5EB6F67BC433A66A4436B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 980f0b0b0b0b0fd8 (2 x AgentTesla)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
PL PL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455927/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade packed
Link:
https://www.filescan.io/uploads/6537871b5f371a3fc8603879/reports/ec7934dd-2deb-4ca5-a29b-96172718a08b/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CinaRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/013b29f9-77e3-4a4d-853c-aec44bcbca2e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331139
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executable to a common third party application directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331139 Sample: Payment_Copy_(Swift-TT).xls.exe Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 52 discord.com 2->52 54 api4.ipify.org 2->54 56 api.ipify.org 2->56 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 8 other signatures 2->82 8 Payment_Copy_(Swift-TT).xls.exe 4 2->8         started        11 adobe.exe 4 2->11         started        13 adobe.exe 3 2->13         started        signatures3 process4 signatures5 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->86 88 Injects a PE file into a foreign processes 8->88 15 Payment_Copy_(Swift-TT).xls.exe 16 4 8->15         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        90 Antivirus detection for dropped file 11->90 92 Multi AV Scanner detection for dropped file 11->92 94 Machine Learning detection for dropped file 11->94 24 adobe.exe 11->24         started        26 cmd.exe 1 11->26         started        28 cmd.exe 11->28         started        30 cmd.exe 13->30         started        process6 dnsIp7 58 discord.com 162.159.137.232, 443, 49738, 49742 CLOUDFLARENETUS United States 15->58 60 api4.ipify.org 104.237.62.212, 443, 49737, 49741 WEBNXUS United States 15->60 50 C:\Users\user\AppData\Roaming\...\adobe.exe, PE32 15->50 dropped 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->62 64 Tries to steal Mail credentials (via file / registry access) 15->64 66 Drops executable to a common third party application directory 15->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->68 70 Uses ipconfig to lookup or modify the Windows network settings 20->70 32 conhost.exe 20->32         started        34 ipconfig.exe 1 20->34         started        36 conhost.exe 22->36         started        38 ipconfig.exe 1 22->38         started        72 Tries to harvest and steal browser information (history, passwords, etc) 24->72 74 Installs a global keyboard hook 24->74 40 conhost.exe 26->40         started        42 ipconfig.exe 1 26->42         started        48 2 other processes 28->48 44 conhost.exe 30->44         started        46 ipconfig.exe 30->46         started        file8 signatures9 process10
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a/
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 16:34:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=at2zcq7g2bpsxfgnbaodtc36jxdkwsdpva7gogklcnmc7kvioj5a._file
Verdict:
malicious
Similar samples:
28a46a9953f0b0771ec1bf9527cd35fbefd82119f2f7349faed0e5cbec61abc4
AgentTesla
6349abbe3421de01ecf91ebd3d4f55891ee0a343d67580cea3bb90a5c6b3e436
AgentTesla
6f1d937b47e5910b8d3ba50bd73c3f52ff06b02325892f09f43a51069657ad0b
AgentTesla
7c82e5efb828ae672d131f3b37ff0c4a4d7307b647a5d42a7f2d573584909e3f
AgentTesla
9aecf5734ff36e456fd5a50650b083c1d521d36212c0a440ec6202fc00d14380
AgentTesla
9fe9a0edbf56394c7f65764f1fe3a567ef7689716ee94cd1b415a00f907520bf
AgentTesla
ee7432148405e04f7d9f06bf7705fdcd737a50b0f8b8f0fe7c0c7e01a51e75cb
AgentTesla
f194c468d6650ca2579c1adfdb03ab2bfd5d0f6a0c324e97d5651e1514ea93b5
AgentTesla
+ 734 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231024-kw59ysdf74/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1165348161691320490/owiChq8K990TdqTmlmA_Y6ZHsEa8e8a55mSy2tkQsil_4MaYV8CLebSWMiPwv5n5mlnc
Unpacked files
SH256 hash:
04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a
MD5 hash:
3ff7237b618af4205470c95decc654d1
SHA1 hash:
b5839108a8a8084a63926501f9924e4ed273ba78
Link:
https://www.unpac.me/results/3a6b5e4a-e9fe-4b89-abef-fefdbe868946/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04f59143e6d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455927/

Comments