MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949
SHA3-384 hash:	f55c1ac7a2c1d9a31550ec29e960e9142f8b5b1d875cb807d5f8b41f29159d1401d7eda0ccefddd8e9667783f25e5820
SHA1 hash:	1bfd4cb563dda00bcbdada885f40f456fd55ac5c
MD5 hash:	1e8f818a8c9b3b3c753da3d25e60ff54
humanhash:	triple-fanta-pennsylvania-hotel
File name:	solm.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	873'536 bytes
First seen:	2023-06-14 09:19:08 UTC
Last seen:	2023-06-19 14:59:14 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:WsyU382vQERTp9LCAzxyVx19hqBjqEewXdb:vR3zg5q6Gdb
Threatray	3'650 similar samples on MalwareBazaar
TLSH	T1A705120372889B71DD6958F5D1E7053D07F6F14B2F72C29D7A8600C24E437E5AACAB8A
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	cocaman
Tags:	AgentTesla exe Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

solm.exe

Verdict:

Malicious activity

Analysis date:

2023-06-14 09:20:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5ee0db6f-3057-4577-8b52-07d22ef1cd90

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/398672/

Detection(s):

SecuriteInfo.com.Trojan.DownloaderNET.345.23878.17010.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6489864339f32abaefb352ca/reports/ae39804f-7a14-4460-b996-f49b14975e11/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f43c55f3-c13a-48cc-bf95-58085e06ddb9

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1254320

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-14 08:25:14 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=icyka5xjaqcc5b5uz6xjhn5otlaa3n4um5omjp6szjl74vp3bfeq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4d25ec738f85928f32d25339810540921b92af4c6ec33369a80ad5f0dfb6d07d

AgentTesla

74d26f4b119393b4528ff36ae1ed9ddf2fd9b6e36f3dbd9c7456ad692687905c

AgentTesla

77b72d9e11b5b61983903918dfb822e8c6c1e3a4acd6a5fde5db7a3cf004b445

AgentTesla

806d84d7beb73d21f10339e37cc8cad779ab270fb80b79258268aa78fe85f9b0

AgentTesla

aa23406d036894ae210e0531e6014c1377bdb409619cde6143e69d0a8dc7b85b

AgentTesla

cb55fa293a824686db59be3e107726d2091ba56a62092f79e2d47744535e5e94

AgentTesla

eb4b358d784a43733f3b307b562f7d3282cc07d94be7526cd8600bf8a4bee530

AgentTesla

+ 3'640 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230614-larecaff31/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5497972920:AAHqqS9EfkxnwYz3pQtCWef33URevfy5tRk/

Unpacked files

SH256 hash:

40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949

MD5 hash:

1e8f818a8c9b3b3c753da3d25e60ff54

SHA1 hash:

1bfd4cb563dda00bcbdada885f40f456fd55ac5c

Link:

https://www.unpac.me/results/c36458de-b2a0-4b44-9d73-c1d31283db64/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/40b0a076e904/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 65ce3474d918eead0e864e0836c87c571b545054a06b021009b20978e6c8eeeb

AgentTesla

exe 40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949

(this sample)

Delivery method

Other

Dropped by

SHA256 65ce3474d918eead0e864e0836c87c571b545054a06b021009b20978e6c8eeeb

Cape

https://www.capesandbox.com/analysis/398672/

Dropped by

MD5 e8b738a2b416d5475af76ec6cd3600ba

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample