MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d
SHA3-384 hash:	576b89ec97cafa794286e723731208e9c4a2c7441afc7845147dcb46140965ff0ea6df4f21f0643c472b24379eef6b55
SHA1 hash:	7195dc5aeda6f7f88e32e3aab2c696959c4e42a5
MD5 hash:	8670ff57444ced9cc643f4588e41a93e
humanhash:	skylark-nitrogen-high-three
File name:	FACTURA_.EXE
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	727'552 bytes
First seen:	2024-03-27 10:57:31 UTC
Last seen:	2024-03-27 12:38:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (60 x Formbook, 23 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:AsHzOUNUSB/o5LsI1uwajJ5yvv1l2WiqfqVR7idUfRgtdvGmavCbyBW6/:TiUmSB/o5d1ubcvpjbdWgf2W6/
TLSH	T1E9F42377F2919C84E11385F831D88B73052BDE705C7B15914BA0BF9B4CBDBA8464AEE2
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	eccc8c94d4d8e8f4 (21 x Formbook, 15 x AgentTesla, 5 x Loki)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

331

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d.exe

Verdict:

Suspicious activity

Analysis date:

2024-03-27 11:12:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/38637cd8-de1e-4b7a-935f-19ff1b32ed8e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Sending an HTTP GET request

Forced system process termination

Verdict:

Malicious

Labled as:

Trojan.IEC.Generic

Link:

https://www.hybrid-analysis.com/sample/4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/37a91633-3fda-4ded-97b3-07206ac5e17d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1416418

Signature

Antivirus detection for dropped file

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2024-03-26 03:47:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ifiksjkbgb3vcrxbs452iyp7vtd5ke3f3jynwsf6zosq7p6b4ooq._file

Verdict:

malicious

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/240327-m2t5zsdg3y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

AutoIT Executable

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

33d58a904a1d6b8dc4d9f5638744af2264240753c0980a0aef1f959b445e6864

MD5 hash:

527eb213ab208227e19f3030c3b2ef1c

SHA1 hash:

b5c6f557dfdf70e4e1de37ed2941a03d89d3b33e

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/68d32389-94c4-4502-8f32-e0945ca07eaf/

SH256 hash:

22877754785dcdf8b8942f2fc958b03f7ce582c0d103d3755634df16f326e635

MD5 hash:

59613aad62df676c226a00615b493608

SHA1 hash:

73975e0f61cc20949a8b46e4d9cda228f59cfd80

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/68d32389-94c4-4502-8f32-e0945ca07eaf/

SH256 hash:

a54603486f0c3d71d20200076da25a9af0f609ed3df0486652c5975753687fd9

MD5 hash:

fe3d9efd39ec235e22db47de316826d8

SHA1 hash:

2137d2765acd9a2a15bc85ae739322d0dd67da98

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/68d32389-94c4-4502-8f32-e0945ca07eaf/

Parent samples :

4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d
7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36
58d1cf060d10e302a7cb4527dbbbc547311e5166e0a34871356024c444ee441d
db86e3bc6c91e2851f8cb119411c1ebfa404634013a03e47215250364a2ca9bb
1136ddaf95606aa08128886a929c64bd367ac38d04a67f95a2ea2b29330197fe
8530446a085c1700fc1ce3e5e21afc356d9701ed553edbfceaed8233ab2c9d95

SH256 hash:

4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d

MD5 hash:

8670ff57444ced9cc643f4588e41a93e

SHA1 hash:

7195dc5aeda6f7f88e32e3aab2c696959c4e42a5

Link:

https://www.unpac.me/results/68d32389-94c4-4502-8f32-e0945ca07eaf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetAce
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample