MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593
SHA3-384 hash: 76263c7d9f39c4dc556c2a4e524c88762cda803dbd521bbc1d80ace06495d0a3a604939163b2d1c1ea0fd36a64e78e8a
SHA1 hash: f00e4e310e6dd1121e8923ab4559659ced724dfc
MD5 hash: aae3fd5f37cfe30d323d7d80a6d6f2d2
humanhash: fish-oxygen-edward-skylark
File name:NzDQIFjHGuWNBdG.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'046'016 bytes
First seen:2023-09-20 08:57:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:wd6U/2iNtGx6i0aAfcqBP8nbMkjgilSFGJspcnrPupaIgOL1:xU/1ax6NaAfcMP8brjgi9nxO
Threatray 5'852 similar samples on MalwareBazaar
TLSH T17F256DD1B1548DDAE96B07F1AD2AA43012E37E9D54A4C10C1DDABB9B36B3341209FE1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
NzDQIFjHGuWNBdG.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 09:00:26 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/0bdcdb55-a8d3-416c-b0f3-42a6283c03b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449984/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650ab41b1edabd99829d5ccc/reports/f7f82d10-b923-472e-b249-1b458099c8b0/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a91b810-74e8-478d-9a71-5700f43ded3c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311431
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 08:19:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
18 of 35 (51.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbgjg76cwynjqjqqxqijsqlvtxmklzepxodi3had4pawaludwwjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0025fa6f194a33862ff4241a1fefed9477645cb36cb99e65d05b639b29dcdcdd
AgentTesla
20ae755cd163b0421ca9c12bc545e9bc22e256a64553ff27423c6e3146a05298
AgentTesla
24302177dedad82f4cd086b6b2014c4832f356753968c97f80a42bdb00dad095
AgentTesla
372293f19446ed57ca833445d5d1efd66a6e4fc56ce5fd3164de5077845f2e87
AgentTesla
4f04a42a32afc88988279c6bd13c58623b9d8989d11119be3f1e3a35fe4d7fa0
AgentTesla
7bb0c7435eac35a50637bb58058fb0b71629b39cc0e7222b991cefeaffdc79a5
AgentTesla
85080c93fed815e1de0896f7e79b99c9d6895572f9223f95ba6f52d132c52b26
AgentTesla
afaeeb8f276bbc3a0e313afd63200cc6437d4c344a658ce3ee0582a8b68a7a1c
AgentTesla
c973ac0f49c3e9fe8acb6116504cce59e13c040105707d3a241802c3e53df783
AgentTesla
f063fd1548945689a8b519daf454193e128bfca6c8b3b061f0ce7185b71412a8
AgentTesla
+ 5'842 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230920-kw59ysfc6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1153579890067640350/ARZfeIar3suCQHsLFn5_77FmZLqCZApTJ_p5KOReGIkX1w-C_brTG7T3ZU1EHmybPUbP
Unpacked files
SH256 hash:
65e27a76da50e9f988bcf7cb142d24c5bc31dfd3f1b21012a7f655ddb1337cc5
MD5 hash:
fe031ba5151a13b4f73bd7d07d9ad602
SHA1 hash:
bcbab67e65b348616a137304a498b5cf2c1b2468
Link:
https://www.unpac.me/results/6155729e-3ded-4908-b7e5-467d1782a22a/
SH256 hash:
0a7ba102274ed10df770b2ac236e92c8217666a2b3e32179fd8f9205a62bb5db
MD5 hash:
66fef6f084eef52c79d865aae9e6ebf7
SHA1 hash:
8109acb69ff84e74e8a14b935af46f7cc60bed0d
Link:
https://www.unpac.me/results/6155729e-3ded-4908-b7e5-467d1782a22a/
SH256 hash:
df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c
MD5 hash:
8383b9306b9b5929b0aed1f24991d929
SHA1 hash:
6acebb9f139a62de981a3ec15ce35f61f5c3132e
Link:
https://www.unpac.me/results/6155729e-3ded-4908-b7e5-467d1782a22a/
SH256 hash:
4c5e678b7f60b777d573e220b600fc13aabbc5f9fe5fcb3bb36dd7546a731bc2
MD5 hash:
8b54371330c313c6fbb0ee01395f2eba
SHA1 hash:
17aff121dd5083503c0d48ad0af75e26f1092194
Link:
https://www.unpac.me/results/6155729e-3ded-4908-b7e5-467d1782a22a/
SH256 hash:
104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593
MD5 hash:
aae3fd5f37cfe30d323d7d80a6d6f2d2
SHA1 hash:
f00e4e310e6dd1121e8923ab4559659ced724dfc
Link:
https://www.unpac.me/results/6155729e-3ded-4908-b7e5-467d1782a22a/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/104c937fc2b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/449984/

Comments