MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22
SHA3-384 hash: 2cb7ed657cdfb28f4c8546dee679ec9cf58d80fa3ecd7872c49a157c838ae590c1135b891cc2f4b5df93e2b59301a410
SHA1 hash: 4594dd3f74f83980a547bd8b7376f78bb39237e2
MD5 hash: 09b46bba0b0a29dc5b9e8d92df13b159
humanhash: july-steak-maine-avocado
File name:Order List.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:770'048 bytes
First seen:2024-01-25 07:15:04 UTC
Last seen:2024-01-25 15:32:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:4BRmU3YVf8jXDkDVMqz7gwlIBZgCXqboMbKi0f9EMYqnQd4NgozpI/8erRw/GdT4:4BQJVHvn0DBXSPbKi0f9EMYqw4aoNI/g
Threatray 4'992 similar samples on MalwareBazaar
TLSH T1CCF42390F71DC7FAC0FE53B609A0977053B658175C62EF8C69C910EA0D737315816BAA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6cccccccc8d4e4cc (5 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
313
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472847/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.27911.11659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65b20ab387258803c23ead32/reports/a7ce8802-f745-47ce-a612-6ab98d10ade3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c60ae150-4e06-409f-b69e-effd62b18272
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1380891
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-01-25 03:57:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnfgxzsbosydzxgmloywrs53g2miekisekdfywd645niheesn4ra._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22
AgentTesla
33799badf5d4a18281869c2e31449d318f91beb75388f6313b8fa717a5d2aa2c
AgentTesla
5b17813545c85a10c81e81610c7ebf01d2316f80c8b02b89bb747c31a8c919e6
AgentTesla
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
AgentTesla
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
AgentTesla
+ 4'982 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240125-h3slbsbddl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla
Unpacked files
SH256 hash:
a872fc47bab2085db7e1f4ecdb71ea3c80a3ceb23bee0becf7082827033a0370
MD5 hash:
77f622f1690a5ed122326d4131654333
SHA1 hash:
f925b4ef68755cde8182f75ecf4278f71e4aad44
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/91aa2952-0814-46fb-985e-8f04578b2df3/
Parent samples :
5b17813545c85a10c81e81610c7ebf01d2316f80c8b02b89bb747c31a8c919e6
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
33799badf5d4a18281869c2e31449d318f91beb75388f6313b8fa717a5d2aa2c
134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22
SH256 hash:
69f79f393d10f67f628c2439344f3a8d0c75cbdae4e5f3b944f45dcd8ed5b602
MD5 hash:
369603b8042e8d21e86bbaf26d43789b
SHA1 hash:
b0e46e22d221fd5331ce045a866f2f98b56275ba
Link:
https://www.unpac.me/results/91aa2952-0814-46fb-985e-8f04578b2df3/
SH256 hash:
a917d9023f9ea32b19f1a3a414e51f704fd2d0c1acd60db19c4a178c1af4d88f
MD5 hash:
603be4434fec01581875e0b70b587add
SHA1 hash:
57d4cbc8e770ba3580197707e3cd31492fb85887
Link:
https://www.unpac.me/results/91aa2952-0814-46fb-985e-8f04578b2df3/
SH256 hash:
c85bc328773aba91c794d88be8ac5ccd57dddbea157f6c128bb5a3b193e0319f
MD5 hash:
8b926a9877401238b870a1a2745b39a2
SHA1 hash:
50ab6730fee83524fe4e03f077229a32eeb07691
Link:
https://www.unpac.me/results/91aa2952-0814-46fb-985e-8f04578b2df3/
SH256 hash:
134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22
MD5 hash:
09b46bba0b0a29dc5b9e8d92df13b159
SHA1 hash:
4594dd3f74f83980a547bd8b7376f78bb39237e2
Link:
https://www.unpac.me/results/91aa2952-0814-46fb-985e-8f04578b2df3/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/134a6be64174/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj fadd4a7246b5524e2e6348941effea830384f78f4e2d99b4921e08c45818b4fc

AgentTesla

Executable exe 134a6be64174b03cdccc5bb168cbbb369882291222865c587ee75a8390926f22

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fadd4a7246b5524e2e6348941effea830384f78f4e2d99b4921e08c45818b4fc
Cape
Cape
https://www.capesandbox.com/analysis/472847/
  
Dropped by
MD5 2cbc6b08ca0d40c92cde3ae6214a7ecd

Comments