MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc
SHA3-384 hash: 38444d11461caad08242a255077adcc8d9dc841835df8966ad0a14ba3e7200ff98b1719c36acebeca478e25e191d5f34
SHA1 hash: a710ee017588c457216b8b40efd68e87a5c8eb40
MD5 hash: 645d673a63f86e7be291ab3d81bed4e6
humanhash: oxygen-delta-four-minnesota
File name:Halkbank_Ekstre_20230914_073809_405251-PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:967'680 bytes
First seen:2023-09-20 11:25:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EdrUl2iNt1NVXjl9TYQgSHA1nM5tw6pSe6G4+py6U19G/s+lP7r9r/+ppppppppV:MUl1rVMp1I5R4Xz+l1q
Threatray 5'773 similar samples on MalwareBazaar
TLSH T1B325BD80E658ABA1DD29A7F05636CC3453337DADA438D11D1CCE3DEB3BBAB824621553
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Halkbank_Ekstre_20230914_073809_405251-PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 11:26:58 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/0e379351-afba-49c7-9cd1-e06f77b9419c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450012/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650ad6ca32ffdb7a7a0cf9e6/reports/211fa064-ff51-4029-ba14-a2b5bbb5ee55/overview
Verdict:
Malicious
Labled as:
Ransom.CryptoJoker.Generic
Link:
https://www.hybrid-analysis.com/sample/411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8803db8a-9ad8-4043-815d-fa1f878a0d49
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311487
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1311487 Sample: Halkbank_Ekstre_20230914_07... Startdate: 20/09/2023 Architecture: WINDOWS Score: 100 29 api.telegram.org 2->29 45 Found malware configuration 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->49 51 9 other signatures 2->51 7 NJFUCIF.exe 3 2->7         started        10 Halkbank_Ekstre_20230914_073809_405251-PDF.exe 3 2->10         started        12 NJFUCIF.exe 2 2->12         started        signatures3 process4 signatures5 53 Antivirus detection for dropped file 7->53 55 Multi AV Scanner detection for dropped file 7->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 Machine Learning detection for dropped file 7->59 14 NJFUCIF.exe 14 2 7->14         started        61 May check the online IP address of the machine 10->61 18 Halkbank_Ekstre_20230914_073809_405251-PDF.exe 17 5 10->18         started        21 Halkbank_Ekstre_20230914_073809_405251-PDF.exe 10->21         started        23 NJFUCIF.exe 12->23         started        process6 dnsIp7 31 64.185.227.156, 443, 49708 WEBNXUS United States 14->31 33 api.ipify.org 14->33 35 api4.ipify.org 104.237.62.212, 443, 49705 WEBNXUS United States 18->35 37 api.telegram.org 149.154.167.220, 443, 49706, 49707 TELEGRAMRU United Kingdom 18->37 39 api.ipify.org 18->39 25 C:\Users\user\AppData\Roaming\...25JFUCIF.exe, PE32 18->25 dropped 27 C:\Users\user\...27JFUCIF.exe:Zone.Identifier, ASCII 18->27 dropped 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->63 65 Tries to steal Mail credentials (via file / registry access) 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 41 173.231.16.77, 443, 49713 WEBNXUS United States 23->41 43 api.ipify.org 23->43 69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 71 Installs a global keyboard hook 23->71 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 10:03:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
54
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iep4abxl4fzeu25lspmxpymdvuud6zejmdd5vsz6zt6m62ezm7oa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
27b0811f1a22296d17285add8557ce3fbfd823f9de7e20cbccc55908d514eeea
AgentTesla
402fbecbd491aca725151d4bfe04e48f40bee088a5f492f2ad47751c72b199ce
AgentTesla
7450bd753c6072a9262368cc84b099d84bb21c65504efe08281304a7742ac500
AgentTesla
cd45acb8d6995389a4667133e25d150f6f62e5dac5bed0f6f043d40bb59488d4
AgentTesla
cf0dd63651cf5fa24b8b70384acd86edeb4c0eb3b47ca7684d817a76eb55eeca
AgentTesla
d2ca4fbb0d048c9fcb71ec6146e9a8ef2f648191b4bc8cec3d05f5afa2f0ed5b
AgentTesla
ee0e2a4caec3cfd987893177d930a6ba9d61a27b9e4a04d6169d2fe0b797c170
AgentTesla
f03f1ae3d3d6bde555d9bc841f8b11ee27459cb9937ae50298b24acb3190552e
AgentTesla
+ 5'763 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230920-njt8psfh8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6543832281:AAF0O-sB2JuhhWieylcwLs9yQGWcvpyk_5Y/
Unpacked files
SH256 hash:
ec6611fea9635a686e95a3f1fe226d624c7f4ae3c69c432b1ab9c720d7746a9b
MD5 hash:
370443cd4d5b0b3e9130876e6b66b3ba
SHA1 hash:
f04078ae17f88127427d321e35d3f5ff3dfc9658
Link:
https://www.unpac.me/results/8526fb1d-d2b1-4ed5-9ae0-bd0a98c24512/
SH256 hash:
25c7e7b8e0abe614ff35963ed78519fafed2177c5ca9aaddc7ff7ae772a7caa4
MD5 hash:
39f5efc2c0862e0c58124df99e19aab0
SHA1 hash:
9d1a2bbbfddf2ff975cc5b9ca49b8f87f540cd3f
Link:
https://www.unpac.me/results/8526fb1d-d2b1-4ed5-9ae0-bd0a98c24512/
SH256 hash:
0045e55af6e5f421eda0a778147b55ca1a0abbd0d0dc508476ae45cb4d8dfd42
MD5 hash:
12612af5ec3789645f7febcd2c34bb3a
SHA1 hash:
8133fc604a15ba2219bd1f82569ec822f443e46a
Link:
https://www.unpac.me/results/8526fb1d-d2b1-4ed5-9ae0-bd0a98c24512/
SH256 hash:
f801e6f47c4e6610d0b0977ba410f4c97ee3cb48f0edc381f09912276006f761
MD5 hash:
a8d54eb60e790ef27c60e4fb5754974e
SHA1 hash:
640d0ad2847950d213172eba1c416ee3e38dc8cd
Link:
https://www.unpac.me/results/8526fb1d-d2b1-4ed5-9ae0-bd0a98c24512/
SH256 hash:
411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc
MD5 hash:
645d673a63f86e7be291ab3d81bed4e6
SHA1 hash:
a710ee017588c457216b8b40efd68e87a5c8eb40
Link:
https://www.unpac.me/results/8526fb1d-d2b1-4ed5-9ae0-bd0a98c24512/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/411fc006ebe1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450012/

Comments