MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41f206a7e8b3c15642e6cfad479ae3f0972b82e57ec46a5ffd31e51954a81c6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41f206a7e8b3c15642e6cfad479ae3f0972b82e57ec46a5ffd31e51954a81c6c
SHA3-384 hash: a43dea9be6b94e9f31e6930498b283ab6d9689d61fa406e144a76692c2f993ea7e43d0c2ff1f2dd4b004927a2063d25f
SHA1 hash: f914783d5d5aeeb95eda30a8c456624e471108a2
MD5 hash: edbb2066fd9539e279bf48077b755a40
humanhash: thirteen-arizona-glucose-romeo
File name:Specifications_Details_20330_FLQ.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:818'688 bytes
First seen:2021-07-21 14:54:19 UTC
Last seen:2021-07-21 15:58:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:AvFWssZm5qy2FRbaXUikcuB0HBWrAatN0t5Tkln7heMTk9pfmoQlCxjm+p2S:MULRbkUHcuB0+NITycpPBF3
Threatray 17 similar samples on MalwareBazaar
TLSH T1FE0512B087AAD9E2EE5A427A19F5392A2C313927C0963DD8BD513DDB303ED0247254DF
dhash icon 74ecccccd4ccccf0 (1 x AgentTesla, 1 x Loki, 1 x ResolverRAT)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Specifications_Details_20330_FLQ.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-21 15:10:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12bc2d4a-e311-4860-96e1-80033dddf12d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173046/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14615.18917.25865.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cde4e34b-bbba-47ae-b33d-9a32544cfdd1
Result
Threat name:
AgentTesla Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819579
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451990 Sample: Specifications_Details_2033... Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 29 clientconfig.passport.net 2->29 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Snake Keylogger 2->53 55 5 other signatures 2->55 7 Specifications_Details_20330_FLQ.exe 1 8 2->7         started        11 notepad.exe 2 2->11         started        13 notepad.exe 2 2->13         started        signatures3 process4 file5 21 C:\Users\user\AppData\Roaming\...\notepad.exe, PE32 7->21 dropped 23 C:\...\Specifications_Details_20330_FLQ.exe, PE32 7->23 dropped 25 C:\Users\user\...\notepad.exe:Zone.Identifier, ASCII 7->25 dropped 27 2 other malicious files 7->27 dropped 57 Writes to foreign memory regions 7->57 59 Injects a PE file into a foreign processes 7->59 15 Specifications_Details_20330_FLQ.exe 15 2 7->15         started        19 Specifications_Details_20330_FLQ.exe 7->19         started        61 Injects files into Windows application 11->61 signatures6 process7 dnsIp8 31 checkip.dyndns.com 216.146.43.70, 49723, 49724, 49727 DYNDNSUS United States 15->31 33 freegeoip.app 172.67.188.154, 443, 49726 CLOUDFLARENETUS United States 15->33 35 2 other IPs or domains 15->35 37 Tries to steal Mail credentials (via file access) 15->37 39 Tries to harvest and steal ftp login credentials 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Multi AV Scanner detection for dropped file 19->43 45 May check the online IP address of the machine 19->45 47 Machine Learning detection for dropped file 19->47 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41f206a7e8b3c15642e6cfad479ae3f0972b82e57ec46a5ffd31e51954a81c6c/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 08:58:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 28 (67.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihzanj7iwpavmqxgz6wupgxd6clsxaxfp3cgux75ghsrsvfidrwa._file
Verdict:
unknown
Similar samples:
02026f0a7193b66036223f82eff070e816ebfbea86af8bb8fa5c92bf6119633f
AgentTesla
060685f00b5569a8d8e1d58a2e50dd7359833e8b6c12ffabb0ce02bb42c5db53
AgentTesla
36d66cc784c6f77b43ed1293123ffdd00c3121fef540f1cfa9c17f1da6e6aa4c
AgentTesla
381e9692044f46f9a850f2f35b26473a63eec1a6486585fa49f4564c21c20cd6
AgentTesla
437b54089000ca7236fda3977ae22b75409c8414331c76e3d55029290f60f57f
AgentTesla
44423c3d0ea20964dc8918929e6fa588396b3ce654798022506852cd9b60aa3c
AgentTesla
517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
AgentTesla
6ffa008d9c18433dfb729075105f7837874da4b96d22c7718f360558f9aeaa0a
AgentTesla
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210721-bhssq63gns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4903c49f381701b9bd139502e5992a7e588d3ee22115c94e8564133dd4cd1293
MD5 hash:
e46890649ffa67fdc6f5c275679956aa
SHA1 hash:
a8029509c6bf51302c45df96d256ec39f1f4f4ff
Link:
https://www.unpac.me/results/afb78eaa-83d8-445a-8b16-ac5d0dd71224/
SH256 hash:
bdec7cec9c7ed57031aec7572f68166bc71320f1302a74e6375751252e009af2
MD5 hash:
dcb852f9121a466a1b1294dfd2f32294
SHA1 hash:
701a157a364c2ddc915baf5ae397e132bfbf34ac
Link:
https://www.unpac.me/results/afb78eaa-83d8-445a-8b16-ac5d0dd71224/
SH256 hash:
cadc4d3f0ee97f0333fc1315b81748884f86c7e21cf0170e5d269074e27d67ff
MD5 hash:
d47a2ecb835737ce698187e10325195c
SHA1 hash:
197c7610517ada53e6e86a735e16a4aa9044b161
Link:
https://www.unpac.me/results/afb78eaa-83d8-445a-8b16-ac5d0dd71224/
SH256 hash:
41f206a7e8b3c15642e6cfad479ae3f0972b82e57ec46a5ffd31e51954a81c6c
MD5 hash:
edbb2066fd9539e279bf48077b755a40
SHA1 hash:
f914783d5d5aeeb95eda30a8c456624e471108a2
Link:
https://www.unpac.me/results/afb78eaa-83d8-445a-8b16-ac5d0dd71224/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41f206a7e8b3c15642e6cfad479ae3f0972b82e57ec46a5ffd31e51954a81c6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ebee6aa23581694ef24a432fd0e09a5b150e9238f973ec62d182d6ca8c0b07e9

AgentTesla

Executable exe 41f206a7e8b3c15642e6cfad479ae3f0972b82e57ec46a5ffd31e51954a81c6c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ebee6aa23581694ef24a432fd0e09a5b150e9238f973ec62d182d6ca8c0b07e9
Cape
Cape
https://www.capesandbox.com/analysis/173046/

Comments