MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4250c2787cb484a030495a28dfbe00899b8a18f0ab1aa8550ac8317e3dd9f44e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4250c2787cb484a030495a28dfbe00899b8a18f0ab1aa8550ac8317e3dd9f44e
SHA3-384 hash: 6724b8e5ec345940682d58531b0db0b9c1162b53bbfdf9dd67f901f6575b7d6e2ee04c647ecb85460d9dbf0c6c98ec13
SHA1 hash: aea0b73525a23112d9ec321bed75ff2b8cab0a89
MD5 hash: 26ca1b72454579440fd916e0664efe0b
humanhash: fillet-twenty-quebec-stairway
File name:SecuriteInfo.com.Win32.TrojanX-gen.14688.4643
Download: download sample
Signature AgentTesla
Create hunting rule
File size:796'160 bytes
First seen:2023-04-10 14:31:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:zS617GJrYvXLdhys3TrgMrOEff5C8QizfsadVi1gPeP+1IrtbYbXG9:3fsmSgP4ryA
Threatray 1'911 similar samples on MalwareBazaar
TLSH T19A059D2D1C4F4662E138E7B59AA18060F3ED9053771BFE2B9DD261C44B12A82FCCD56E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.TrojanX-gen.14688.4643
Verdict:
Malicious activity
Analysis date:
2023-04-10 14:32:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/805d9a9a-e758-4cc7-9979-7f3a43fd9d58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381209/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.TrojanX-gen.18108.25710.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64341de3c41e8bc6a3b0b7c8/reports/06a58fd6-c92d-4b2f-a62a-f12c02a09881/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4250c2787cb484a030495a28dfbe00899b8a18f0ab1aa8550ac8317e3dd9f44e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fef8635f-7594-467d-91d1-011806e49459
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211134
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 844050 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 10/04/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 5 other signatures 2->49 7 SecuriteInfo.com.Win32.TrojanX-gen.14688.4643.exe 6 2->7         started        11 cfrecyQ.exe 5 2->11         started        process3 file4 27 C:\Users\user\AppData\Roaming\cfrecyQ.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp2432.tmp, XML 7->29 dropped 31 SecuriteInfo.com.W....14688.4643.exe.log, ASCII 7->31 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 May check the online IP address of the machine 7->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 13 SecuriteInfo.com.Win32.TrojanX-gen.14688.4643.exe 15 2 7->13         started        17 schtasks.exe 1 7->17         started        59 Machine Learning detection for dropped file 11->59 19 cfrecyQ.exe 14 2 11->19         started        21 schtasks.exe 1 11->21         started        signatures5 process6 dnsIp7 33 masarengineering.com 68.66.248.44, 49698, 49700, 587 A2HOSTINGUS United States 13->33 35 api4.ipify.org 64.185.227.155, 443, 49697, 49699 WEBNXUS United States 13->35 41 2 other IPs or domains 13->41 23 conhost.exe 17->23         started        37 mail.masarengineering.com 19->37 39 api.ipify.org 19->39 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->61 63 Tries to steal Mail credentials (via file / registry access) 19->63 65 Tries to harvest and steal browser information (history, passwords, etc) 19->65 25 conhost.exe 21->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4250c2787cb484a030495a28dfbe00899b8a18f0ab1aa8550ac8317e3dd9f44e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-10 14:32:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijime6d4wsckamcjliun7pqargnyughqvmnkqvikzayx4poz6rha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0543d3e6b17798c68a8f2442b5d2bc1a2407dbdabd0c82ba7c8ddcde3488f662
AgentTesla
0a8368bab522deb622eca5805bc7bc6da0d4a6a63fae959c41c22c7d0b5ffa63
AgentTesla
2477006ed8c89641b3bef2e81c0f018e812fb3242fe521814b3ef58cb00bea81
AgentTesla
71bb21d0c0cd50a53a292e523455a0b270fa255f63cd132395fded0d91c447d4
AgentTesla
795d861d9411ea359cd6d19ca0f94f15a600e1ab1dff4d7c0e59755065b6babe
AgentTesla
b96ebeca4d09ff3b88c99c313198baa3e5596c884b992656b2b0bade9fb7b625
AgentTesla
d5b4018736e8ded7a665f2051a05e9fdd53e379eceee4c62abff955dbb5e4554
AgentTesla
f4d76f6893e4996666f0bbb670ad59bfd7201356080b213015621449c0aa2710
AgentTesla
+ 1'901 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230410-rvq7zaaa22/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
535ebdf984e3eec0990cf671a316ab08f425abe5f8852d98abafdb88c264f63e
MD5 hash:
bcc3e62c068264ccd1388689b4b1b71b
SHA1 hash:
fd8a6db76163e4b34be17c53abbfde08509e840f
Link:
https://www.unpac.me/results/57f19fba-fbbf-448e-b7f8-9322be39c7ee/
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/57f19fba-fbbf-448e-b7f8-9322be39c7ee/
SH256 hash:
f019cbfed9a48d21b57620e9e9fe44139a49d8f6ad72e1db96e13485a79684b3
MD5 hash:
9145a823fd2d38c9e827c932c0e1a688
SHA1 hash:
0fd71390162822b2571c34a0ed5289d9e09662d1
Link:
https://www.unpac.me/results/57f19fba-fbbf-448e-b7f8-9322be39c7ee/
Parent samples :
02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef
9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1
4f106e71463410c0880736786b987b0329cb64a441481794230890d48661c9b2
326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
SH256 hash:
4250c2787cb484a030495a28dfbe00899b8a18f0ab1aa8550ac8317e3dd9f44e
MD5 hash:
26ca1b72454579440fd916e0664efe0b
SHA1 hash:
aea0b73525a23112d9ec321bed75ff2b8cab0a89
Link:
https://www.unpac.me/results/57f19fba-fbbf-448e-b7f8-9322be39c7ee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4250c2787cb4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4250c2787cb484a030495a28dfbe00899b8a18f0ab1aa8550ac8317e3dd9f44e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381209/

Comments