MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 142fdc315348f2ea29d8d3b7ff744c19fa7c6abef2c8f49f2206472d5c9b1ae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 142fdc315348f2ea29d8d3b7ff744c19fa7c6abef2c8f49f2206472d5c9b1ae8
SHA3-384 hash: f48b0df0a29922c8568148ba72f2cf9c0812a42e455f1158c0f84d8a838fc735b38e6a43e0f3443863be7a104dad6837
SHA1 hash: 46e6a83cf11df04d4d731bd991f0c880dc396e51
MD5 hash: 1eb398bbccd852790cba41be36d18ed8
humanhash: stream-football-alaska-lithium
File name:COAU8028849970-DN.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:237'489 bytes
First seen:2023-07-27 01:47:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 6144:/Ya6DKDyWS+EYfkHEbhqAQtzYh5oTiYFG0IIZk340m:/YRUM+E3n10oTVgE0m
Threatray 1'149 similar samples on MalwareBazaar
TLSH T1CA34120436F5C067E56306B21DB69376B6F6C62224758B2B17F03F0CFB62A42E94E752
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
COAU8028849970-DN.exe
Verdict:
Malicious activity
Analysis date:
2023-07-27 01:50:56 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/6bc58333-b4bc-454a-8a2d-800a30acdf5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434612/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c1ccd34e8e3d7634757a5f/reports/1b7577a4-db44-4b04-a2a5-2605ee398aae/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/142fdc315348f2ea29d8d3b7ff744c19fa7c6abef2c8f49f2206472d5c9b1ae8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90f0a546-1421-41a7-86f7-83ee91a1d1a3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280783
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280783 Sample: COAU8028849970-DN.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 6 COAU8028849970-DN.exe 1 20 2->6         started        10 dmvrb.exe 18 2->10         started        12 dmvrb.exe 18 2->12         started        process3 file4 22 C:\Users\user\AppData\Roaming\...\dmvrb.exe, PE32 6->22 dropped 24 C:\Users\user\AppData\...\giqkqupjvc.dll, PE32 6->24 dropped 50 Detected unpacking (creates a PE file in dynamic memory) 6->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->52 54 May check the online IP address of the machine 6->54 14 COAU8028849970-DN.exe 15 2 6->14         started        26 C:\Users\user\AppData\...\giqkqupjvc.dll, PE32 10->26 dropped 56 Multi AV Scanner detection for dropped file 10->56 58 Machine Learning detection for dropped file 10->58 60 Maps a DLL or memory area into another process 10->60 18 dmvrb.exe 14 2 10->18         started        28 C:\Users\user\AppData\...\giqkqupjvc.dll, PE32 12->28 dropped 20 dmvrb.exe 2 12->20         started        signatures5 process6 dnsIp7 30 webmail.ultra.aqfoam.com 103.6.198.192, 49699, 49702, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 14->30 32 api4.ipify.org 64.185.227.156, 443, 49698 WEBNXUS United States 14->32 34 api.ipify.org 14->34 36 104.237.62.211, 443, 49700, 49701 WEBNXUS United States 18->36 38 api.ipify.org 18->38 40 api.ipify.org 20->40 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->62 64 Tries to steal Mail credentials (via file / registry access) 20->64 66 Tries to harvest and steal browser information (history, passwords, etc) 20->66 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/142fdc315348f2ea29d8d3b7ff744c19fa7c6abef2c8f49f2206472d5c9b1ae8/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-27 00:30:56 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqx5ymktjdzoukoy2o3765cmdh5hy2v66lepjhzcazds2xe3dlua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
165a4a13cc076a6cf2a41f4b6bb1d2336033d9976d0abb8f02e941eb64a6f963
AgentTesla
47c3e044af3684dfa7d4d7885d9452358620d9e98c25fffe0d0c82c9f72fbf08
AgentTesla
4d13c083733f91952877388ea9aca09aab32bb5f31a422c0fb0590921cb2316e
AgentTesla
64f7160a149eb98340872f6bba7149c4b654cff413acced11d4c7ee14f3a7ad5
AgentTesla
8782056d9091e507124a6a17d8b3063f8f5d9dee912c70bbaf3f7b62783d388d
AgentTesla
9f20125e93f217448a2a774a8470196dc28c401fdb2a2efb77455b392483eb9e
AgentTesla
a99019e3753a7babc2108dc67c77be0d5914b23051b1fd7a07f2b3a3ba840559
AgentTesla
c256525c8f37a9a8fa3f42995a9d257d4305e7939ccb35949a856ecc8b2a99e2
AgentTesla
d50074d48914764b355b89e387636cfbc2d5f5daf17b8afee1490c176afccfbf
AgentTesla
d9d9e3cc542fd9391c9ae953b0071b0a4a450df7d6e3e5563df812b128ab2620
AgentTesla
+ 1'139 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer upx
Link:
https://tria.ge/reports/230727-b742lahf3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
dd3ea7b9d8a6a856a9c9a347dc35e32dcad444a0d9cb6ebee92129dcd28449d4
MD5 hash:
bfca2c69615f4c0eadc385875174443b
SHA1 hash:
240c609be91b3e117363a4c852b1a0309c0004b7
Link:
https://www.unpac.me/results/919cb366-5e80-4068-8d20-ae98975993c2/
SH256 hash:
2025e7e164cf43c6a9625cc15cb2ff55f9845a6ccfc8450e6dbe45aaec9d4421
MD5 hash:
d923df63c97ae3902e478f1197b9dda8
SHA1 hash:
553a202a4c5689bf3a2dd3b7fd89be8d6e971197
Link:
https://www.unpac.me/results/919cb366-5e80-4068-8d20-ae98975993c2/
SH256 hash:
142fdc315348f2ea29d8d3b7ff744c19fa7c6abef2c8f49f2206472d5c9b1ae8
MD5 hash:
1eb398bbccd852790cba41be36d18ed8
SHA1 hash:
46e6a83cf11df04d4d731bd991f0c880dc396e51
Link:
https://www.unpac.me/results/919cb366-5e80-4068-8d20-ae98975993c2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/142fdc315348/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/142fdc315348f2ea29d8d3b7ff744c19fa7c6abef2c8f49f2206472d5c9b1ae8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/434612/

Comments