MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 403482dd22ddee05c4675772c8692ff5ba9b18eacac6755187bd22d42db9d4c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 403482dd22ddee05c4675772c8692ff5ba9b18eacac6755187bd22d42db9d4c3
SHA3-384 hash: 387af626b7cb72f6abcc8cc8e171b5d3a2414da28932b5af2d8a5b4c7276f33fe6a398c7c95fdc61f5cb74ebd2c4c775
SHA1 hash: d4ff4a6aa07dc6f8a51887dd0104070b139fb144
MD5 hash: 9e0a21fe9ba5ab5799933a85186a3c11
humanhash: enemy-yellow-xray-freddie
File name:PO_6039792 Order Confirmation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'113'088 bytes
First seen:2022-10-18 17:18:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:clxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss/ExJWio:DExJrJ9gFdj
Threatray 20'937 similar samples on MalwareBazaar
TLSH T1C6357BB626D41257E42972B18193E5F322FB6E606411E1CB58D31FAFBC802BBD52734B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1031ccc4ccccaa10 (14 x Loki, 12 x SnakeKeylogger, 11 x Formbook)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321459/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.60767.6553.26344.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634ee007339362a6061af7bf/reports/ca80b1fa-afd2-45c4-b477-a34bd8e2de1f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/876c4677-d1ce-4fa7-b210-24dbec75160d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092933
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/403482dd22ddee05c4675772c8692ff5ba9b18eacac6755187bd22d42db9d4c3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 06:29:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ia2ifxjc3xxalrdhk5zmq2jp6w5jwghkzldhkumhxurnilnz2tbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037
AgentTesla
49adec13776b1d5c1a583a7ecfc3dca07898f060ba46010cdabd2923348d0ed0
AgentTesla
8ccea9d264f5584180de3b726b676590bfec351367d48a03decb1ee37f9f3965
AgentTesla
9f94bfaf7433e3b0142b5a57965199ec01c4e69b1c5598642d165138ebf742f3
AgentTesla
ab828ebbb7925536f94b2fe3f34100bdc8326589deb88e90dd3490893495f19c
AgentTesla
be06f8a3ed040aadf2598bc5a9b4c886c271ad7866505dba11b723dba968f518
AgentTesla
cf633ec437e48b72f1bbf05a6f21ace7b94686afa55a6c473ff72ef6d4dc1bc7
AgentTesla
eef6df577e7da107e24b1c043d08c10ede909e73ef8d6b6881dd75327770aa7e
AgentTesla
+ 20'927 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221018-vvtvmsggfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5476328609:AAGdqIkYvW9rAMdHDWP-Prv8P3MRMPpndw0/
Gathering data
Unpacked files
SH256 hash:
6fe15780bb775f8f0e0c8cd4fe6cd940432e617c92ac459cbc672b03d473f99c
MD5 hash:
34ad5ddb53aef149b18193eccca31972
SHA1 hash:
f359e876ef9ee31ac11f545a535ab50ff633b0eb
Link:
https://www.unpac.me/results/4f37e1d3-a925-4eac-88f8-95dfa95fe90e/
Parent samples :
21b03041f46e3e62f2500998745e5c1fb98996dd622ca046653fa0501278ced3
4b63526b77bef99ddab0ed2fef6abed0ebe1044dbc769f088b43cfc1ae16186a
SH256 hash:
12dbcc87e4a9a51bdfd2ad0826143df9f98fdf2b0b3aa96f7c37192a22261edd
MD5 hash:
3d733765d04202018db2c5f5c458433d
SHA1 hash:
469dd41148be531ddcbddb8b63f683060ba7e0c0
Link:
https://www.unpac.me/results/4f37e1d3-a925-4eac-88f8-95dfa95fe90e/
SH256 hash:
32f248e7b3edc6ff6bcbf957911e3149894c4d1e82c9aa7290e9b771caee16c0
MD5 hash:
106ff97671cc89d3921b3e3b14c74b9a
SHA1 hash:
35baa3157375f1f9d5815ef2086cdcfb2b7da1bd
Link:
https://www.unpac.me/results/4f37e1d3-a925-4eac-88f8-95dfa95fe90e/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/4f37e1d3-a925-4eac-88f8-95dfa95fe90e/
SH256 hash:
76673da25890dcd354521836c83b5166dd71019a1f45d6c020b0bf69fa6a3977
MD5 hash:
01007c9de31c0651c3b7b1738d843be4
SHA1 hash:
817e0823f948c272061d2e505d6e7c3d64ebb07b
Link:
https://www.unpac.me/results/4f37e1d3-a925-4eac-88f8-95dfa95fe90e/
SH256 hash:
403482dd22ddee05c4675772c8692ff5ba9b18eacac6755187bd22d42db9d4c3
MD5 hash:
9e0a21fe9ba5ab5799933a85186a3c11
SHA1 hash:
d4ff4a6aa07dc6f8a51887dd0104070b139fb144
Link:
https://www.unpac.me/results/4f37e1d3-a925-4eac-88f8-95dfa95fe90e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/403482dd22ddee05c4675772c8692ff5ba9b18eacac6755187bd22d42db9d4c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 403482dd22ddee05c4675772c8692ff5ba9b18eacac6755187bd22d42db9d4c3

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321459/

Comments