MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 413284502e9764a66d39c2c7862f5ae6a2341f97bec858b55875a5a46e06df1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 413284502e9764a66d39c2c7862f5ae6a2341f97bec858b55875a5a46e06df1b
SHA3-384 hash: 505760a7a01fdca5607416d43087b09b774eb701150bf50beb7bb65b2339f8428930349038044c78f78450d5d163c37a
SHA1 hash: 33309060b40625e377b6177d0707edf703155316
MD5 hash: 582bf741892d3832f3ca7020640f7a90
humanhash: tennis-fillet-maryland-magnesium
File name:PRODUCT INQUIRY 001.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:761'344 bytes
First seen:2023-01-24 15:31:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Ht4o85MtEwcU3gZ+GQzjkATGdsB3CN15Ziv9LUsitaNI8pD50SJmZCVJXZwPa82k:Nx856AAgZbQzlGCv1tiyC9CHJL82RO
Threatray 6'156 similar samples on MalwareBazaar
TLSH T1F5F4E040AA784B53F4FC8FFC427D66465FB0287B67A3F3B50ED162E614677428640AA3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PRODUCT INQUIRY 001.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 15:34:16 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/ca0db39c-cfcf-4f1d-a4b3-9b2c471a7ecb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356419/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63cff9f5447edb203a00a08d/reports/e064a5f2-3738-439d-82f5-dde20987297e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c23b40e-ab83-4535-9837-f037a44fd5cf
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158005
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790742 Sample: PRODUCT INQUIRY 001.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 11 other signatures 2->47 7 PRODUCT INQUIRY 001.exe 7 2->7         started        11 safWhWNzqqCv.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\safWhWNzqqCv.exe, PE32 7->31 dropped 33 C:\Users\...\safWhWNzqqCv.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp850A.tmp, XML 7->35 dropped 37 C:\Users\user\...\PRODUCT INQUIRY 001.exe.log, ASCII 7->37 dropped 49 Adds a directory exclusion to Windows Defender 7->49 51 Injects a PE file into a foreign processes 7->51 13 PRODUCT INQUIRY 001.exe 7 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->53 55 Machine Learning detection for dropped file 11->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->57 21 safWhWNzqqCv.exe 7 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 smtp.beckukk.com 198.54.120.122, 49695, 49696, 49697 NAMECHEAP-NETUS United States 13->39 59 Installs a global keyboard hook 13->59 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->61 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/413284502e9764a66d39c2c7862f5ae6a2341f97bec858b55875a5a46e06df1b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-24 18:52:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ieziiubos5skm3jzyldyml2242rdih4xx3efrnkyows2i3qg34nq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01b0e10d7351007133aa2a5f1cef379b855706256fb70f327990ea142df772ad
AgentTesla
09607c48d3c5930249aeb27320d1a808becd0ca63bdf8b85d0673c45e23e843f
AgentTesla
224695648fe70d6c4e2636192e87ab57d714d4a59188b331578f36758f23e318
AgentTesla
6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4
AgentTesla
7d35393acd36cfb26d3a449af639fa8aa1624c1b9b888248825707820acf4adf
AgentTesla
affcc95b61bb0461fcd218472be113a32059cc9abef6cb88aecaaf6577634239
AgentTesla
e00c81eaf51d453c0a837df83d38b33cc4217bc40473a5a927c2434a1520a520
AgentTesla
f20c0a34d3fa5c65d495dd1dcdd1a39b2512607bcc3bc24aa7e295f5b2779698
AgentTesla
+ 6'146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230124-sylmbscc87/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
cd3c0374c3cb2207dc09d111f486103be5a21323d6ac615ab70fdbc62e340eb1
MD5 hash:
9d95d8c5584d6ae34c41e3de5ba9d94d
SHA1 hash:
b6f244c6cc925314a283fb8b277d8911aaa43140
Link:
https://www.unpac.me/results/b315ae7f-2703-41b6-8a34-cdc03c81c771/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/b315ae7f-2703-41b6-8a34-cdc03c81c771/
SH256 hash:
f72b52121288723d36fab719e111c6732d08f6d999ccffc9504003740e679fe6
MD5 hash:
ed59ed7929444585e68c56548b08b0e6
SHA1 hash:
9212fea03f30615cdd1076a3b899971c8eff4a34
Link:
https://www.unpac.me/results/b315ae7f-2703-41b6-8a34-cdc03c81c771/
SH256 hash:
5b4fce8a8f1358babd1a9827804abbf6454d35cd7f257dae14cd19223e6c48df
MD5 hash:
bc5ef7b36555816b38a67011ab37cad7
SHA1 hash:
6e86656ad2789ee23206415303ba3e73aafc9e4a
Link:
https://www.unpac.me/results/b315ae7f-2703-41b6-8a34-cdc03c81c771/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/b315ae7f-2703-41b6-8a34-cdc03c81c771/
SH256 hash:
413284502e9764a66d39c2c7862f5ae6a2341f97bec858b55875a5a46e06df1b
MD5 hash:
582bf741892d3832f3ca7020640f7a90
SHA1 hash:
33309060b40625e377b6177d0707edf703155316
Link:
https://www.unpac.me/results/b315ae7f-2703-41b6-8a34-cdc03c81c771/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/413284502e97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/413284502e9764a66d39c2c7862f5ae6a2341f97bec858b55875a5a46e06df1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 413284502e9764a66d39c2c7862f5ae6a2341f97bec858b55875a5a46e06df1b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/356419/

Comments