MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA File information Comments

SHA256 hash:	088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c
SHA3-384 hash:	7d09e1e209a0e7f6731ecca33b3954615a1cf78e0646eec31bf779c971ef0f8f2447f3c4a23c744d331b0e0ecb770397
SHA1 hash:	5cc9ce3d985f97f68bb5b28879f7abc198ecc82d
MD5 hash:	4bce5b58ac195df462c3092ed61d4a33
humanhash:	double-jig-nitrogen-stairway
File name:	4bce5b58ac195df462c3092ed61d4a33.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	721'408 bytes
First seen:	2023-12-24 08:22:07 UTC
Last seen:	2023-12-24 10:14:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:LZSy2stiomWOHSfHcJOJLt3ZT+7dxATplpsRa7LXU5p0KMLY/KY9VA3NF5:VVt//BFJLhZTydSplpsRa3XU5pYyKg
Threatray	4'227 similar samples on MalwareBazaar
TLSH	T115E402953B7C6F26D0BD97FA0100605907F2956F30BAEA4C9DD270EB65A4F018B11FAB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

4363463463464363463463463.exe

Verdict:

Malicious activity

Analysis date:

2023-12-22 08:40:02 UTC

Tags:

loader hausbomber stealer redline opendir stealc dupzom trojan servstart phorpiex arechclient2 backdoor

Link:

https://app.any.run/tasks/61fe2074-bc0f-4716-943f-b85a543f7e0d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/469198/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6587ea696b1c246046049f89/reports/5d0b5b15-0c82-4025-8e9d-71b296c4c014/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/36e1e778-eb93-4f06-95a5-d4c86b74bd30

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366652

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2023-12-22 12:41:43 UTC

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bcerf5jbqe74yr6h5uwdn5expycjunmwa2ij3k5umqrpu6gql4wa._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

5dbac89a6802a5144699a6e8a4ba1b2016857f03b0e01b6680af7f223f34f22c

AgentTesla

8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d

AgentTesla

9a1138a162bb083659fe3716b97ed51486af388c69929decf4db49577c826bd2

AgentTesla

a8484d4b644528dca4b09691169ac66e7668a7a79c1c0e5f4ebcbd521c3d2d57

AgentTesla

e49df0f66eb42b10494df1c1c8518fe9ab49b30df38b148c2158149d52a11b91

AgentTesla

+ 4'217 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231224-j96bfadgg2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

319c678945a69d3d84f60ff3ecb378055b0c799ff718291fd5dab723a6afa4cd

MD5 hash:

2a1d7f13a0c5c0219a1c6d2c166e9335

SHA1 hash:

ecdf5a49645588c94ce10c34c95f74804f606810

Link:

https://www.unpac.me/results/ba2e07a5-aa88-482e-9d92-75ed79637ef4/

SH256 hash:

d9332d905635c6acc256b2b8e490becf03eac90400120dd333745a48a747ff1a

MD5 hash:

ffe13edbc049ce7b6ef7a3673928633c

SHA1 hash:

9c265068b32533f1c5dffd6792605093f95a227b

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/ba2e07a5-aa88-482e-9d92-75ed79637ef4/

Parent samples :

5dbac89a6802a5144699a6e8a4ba1b2016857f03b0e01b6680af7f223f34f22c
9a1138a162bb083659fe3716b97ed51486af388c69929decf4db49577c826bd2
a8484d4b644528dca4b09691169ac66e7668a7a79c1c0e5f4ebcbd521c3d2d57
8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d
088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c

SH256 hash:

03fe5de7042f52b3e681fefdb843362d077a32ca7ee6ddfde199e144674d5367

MD5 hash:

16ef4e164012b2dd1e12fc503c2aa283

SHA1 hash:

8027c33ea413c4ae6f99268ed3b271821e4505ac

Link:

https://www.unpac.me/results/ba2e07a5-aa88-482e-9d92-75ed79637ef4/

SH256 hash:

311f5dbaf31ed25df38365d5a7c6e937a73b204f10ce58b912348ea3fa6a5bec

MD5 hash:

c201fb67e02eea5316034f91495aefee

SHA1 hash:

1e38d083579d2cbd96487aa686012d3e199c509e

Link:

https://www.unpac.me/results/ba2e07a5-aa88-482e-9d92-75ed79637ef4/

SH256 hash:

088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c

MD5 hash:

4bce5b58ac195df462c3092ed61d4a33

SHA1 hash:

5cc9ce3d985f97f68bb5b28879f7abc198ecc82d

Link:

https://www.unpac.me/results/ba2e07a5-aa88-482e-9d92-75ed79637ef4/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/088912f52181/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2739476/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/469198/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample