MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
SHA3-384 hash: 8786dd078aa0e18e34097ae6b53ef7b838e6462130e7df40864bce3931c7fd04bcea1930acc8f7a5cd02b65bd50648c1
SHA1 hash: 4e987e9dc5cf15dfe21ae10b88e98fec4da33051
MD5 hash: 843a464386ed0cc841876171f03cd244
humanhash: four-fanta-alaska-four
File name:42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
Download: download sample
Signature AgentTesla
Create hunting rule
File size:815'616 bytes
First seen:2023-10-12 11:02:09 UTC
Last seen:2023-10-12 11:53:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tcyAckj697pzC9wVyVGDEc+x/9vp9AEMD8Tr3EDLgNisVKD/:vkI7pzHVyAQc+lVmor3SLgrVK
Threatray 351 similar samples on MalwareBazaar
TLSH T1A105DF02BED75D80E1FB92395DE44C754B6B79DB8834CA3C39CCC19D1BA72806D18B9A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 74f4d4d4cce4e8e0 (27 x AgentTesla, 19 x Formbook, 17 x DBatLoader)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
Verdict:
Malicious activity
Analysis date:
2023-10-12 11:03:03 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/47b7a99a-ce25-4aea-9a9f-6ee618d87e32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453772/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6527d268d9aa132701807454/reports/4827bed7-afb1-442e-8fd8-de31c65e73f6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/337a3941-f433-4f60-9c4c-870fa09502f2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324605
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324605 Sample: ehnOdcW0CR.exe Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 32 zqamcx.com 2->32 34 mail.zqamcx.com 2->34 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AgentTesla 2->52 54 5 other signatures 2->54 8 ehnOdcW0CR.exe 4 2->8         started        11 YawnMo.exe 3 2->11         started        13 YawnMo.exe 2->13         started        signatures3 process4 signatures5 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->56 58 Adds a directory exclusion to Windows Defender 8->58 60 Injects a PE file into a foreign processes 8->60 15 ehnOdcW0CR.exe 1 5 8->15         started        20 powershell.exe 23 8->20         started        62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 22 YawnMo.exe 2 11->22         started        24 YawnMo.exe 13->24         started        process6 dnsIp7 36 zqamcx.com 78.110.166.82, 49716, 49720, 49724 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 15->36 28 C:\Users\user\AppData\Roaming\...\YawnMo.exe, PE32 15->28 dropped 30 C:\Users\user\...\YawnMo.exe:Zone.Identifier, ASCII 15->30 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Tries to steal Mail credentials (via file / registry access) 15->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->42 26 conhost.exe 20->26         started        44 Tries to harvest and steal browser information (history, passwords, etc) 24->44 46 Installs a global keyboard hook 24->46 file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 03:48:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilkiegbvzdig33djlootj5cbqclsqe3w7xftpwcrspujxcnlbxja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4343245f1db76214093c4adefb0b167327c7bd49fa66608eccb2c4faadc3e32d
AgentTesla
48ef496367a300605f93d8d5f650a7a9a9e333c6acae2770efd78181bdd293aa
AgentTesla
4a699a693c63228aebd3e0bc98d92fe2d8bb7ae487992e81cfee767f0b9ed1bf
AgentTesla
7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
AgentTesla
89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc
AgentTesla
8bc2d2a8e99fdf12dabed46d100d94d357e064f307718087591e9858c840a1c3
AgentTesla
a0a83c6bc77fa73e06bc77a6bdd2e7d3b84319cff7f009d7f6ccc7fca5c48820
AgentTesla
c19e44f612b1b11dacfbed23b9de1b2af9035fe080438615d8f38f2ed079e93c
AgentTesla
e2f7fb5aad34116772b8667f4b40002ad59a5f81516b66c1ce9c5874f089ce6d
AgentTesla
eded555a7a575a6335ccc1c59ac51b58eb00ba3f43a0d5ed66f2af28f4d3bcf6
AgentTesla
+ 341 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231012-m5ppnsgg24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
bb80534b2020ff8b190121d259f6f0f517b945ef8e29b89554c61956c48efac3
MD5 hash:
4ce3fd8661138b0deadc1f3d5b8ca09b
SHA1 hash:
e66191df65480edf57b0c05a013c54502d472ff3
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/7e50f7ce-b724-4bc6-9b96-dd393dac3cb4/
Parent samples :
eac955e21979be52d265a31b6d4d7434089ec180b116f5fd70792978ddb87d01
916c26e1e43c03fb2faff6fe47a65492f0966ea0b5ae7ba4fd864af05f1e6ee8
dfba6d9c101eb1273aaf962047fd958424bfac70a1162c2a910640981a23d054
c9371309802b12f374c0a8f8e28b1fe40bd72929342338b7fc769f1a845f79a3
f4b4e8c5922902a99c7fad1329d23fe90295b08b165200189273f391323dc47c
3ec460aeca63f43b1c270d4c2c6d517086e8a302863bac43d7389d519c95f37e
e4b091b6eb1421a4bb8ef19af620e52d101806a44351c5191919198306d6b826
8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a
5a6c429f017b403c4bc91330056da43f35387f4a5ed19fed2be140ee29c32989
26eec7bea99973fa7a59366d0603196099cec54b0e20f89876fd1dcbc6ea1e94
234aff0ca0de7675a5bcd4b0925d85bcb9c6df06948159893fdb990274a5164c
d31d25db8f90f851d56eda5ac2e95f0b030c0d42ea908386f52e95ff313bdfc4
7feb4037f4f3a98c88af6a20855d9be48c8f127f5aca54beea08149d78bb4dc1
25fd8be2e2dcbbf3707e4aba7be70e8d962beb4a47c9c4a1763b09086fcb1258
15ba4f63fe43c578c10edea51d3a521efb953302d78621b92ca65e699b921dad
ccfb9a331960621fa51b170c722fa4f6bb7e1cc04db987298af3887fe08bd64f
760831724396437abbc9df355eff72482e467f43cdd76d426283c86820165e32
a42fc25e5c4b617629fe6867cb6625b17f18625b6a2102343dd51219bcd99760
742db9471549b91bca93f28cb8b9ba804a4fa03346223b57384b62b9a386b124
bd0b7ee993da6e96723b57cef78778f681b3682e00aa44c8916c91fbf7b9d058
571b509e7c87384fe9a4933b24cf0d7d8e2c2faa70e39613ba3561259a573df1
9972272899a7a165546fd3c97f1df1c068c658154b947dd234db1a1204d0a484
3a099cd463190175916c58f9f590da65059c3207f6e5e8d5ee7e4615fdecd4d6
17a9e377f1a8abdba24292372a1a4630383438b315b791988ebca48e8f634abc
c70653b62d36bc066f5b9253d3a9f519eca5ff2d58fd39affa1d0e2468186980
44f1236de9be7944b5ee2b19a9b7cda3df8ca686954a464abd509916d54671b1
bb80534b2020ff8b190121d259f6f0f517b945ef8e29b89554c61956c48efac3
05b6b6be781094f149665aaf2991c91fd29485545356771d1515afa6b0da105a
c0e472a9146a7975b5908ee8974d49f83426627cb074189268959a432cb61ea7
6e3f981e67d34ae5926687f3cd70f6533dbe42a041a946dd4c0ad51a239b87ee
f5970e4e030d40597a3f67287136f2044c51354e333008c8455c668622ddbfd1
eded555a7a575a6335ccc1c59ac51b58eb00ba3f43a0d5ed66f2af28f4d3bcf6
42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
b97373a2cf56a7e34552242194ca53f1afdc4283eadc6b028353d7a546d7fc11
3a835ba5ec5b577df4066e1635d0fd150f189992464836df6400ed6a416cdfd4
7e1956202b29fa1f4b2069bfca66729c92f55a8597f2915713f525d10daee463
SH256 hash:
bc6e1487bee00a8fd2b639ee4e60867d7e409bd3cb6be1451f5ddbce26340766
MD5 hash:
fe233bfa89c7e26811c45fec198f7937
SHA1 hash:
6f0af0f155b841786f43b01e0c1c033aa277cdbd
Link:
https://www.unpac.me/results/7e50f7ce-b724-4bc6-9b96-dd393dac3cb4/
SH256 hash:
df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c
MD5 hash:
8383b9306b9b5929b0aed1f24991d929
SHA1 hash:
6acebb9f139a62de981a3ec15ce35f61f5c3132e
Link:
https://www.unpac.me/results/7e50f7ce-b724-4bc6-9b96-dd393dac3cb4/
SH256 hash:
2354090a87f61476ce11f1508ed3f5ed375b0107d691437f949e05d861b4023a
MD5 hash:
ca032721ddbab907d9f1c62767ffe640
SHA1 hash:
493bd53f9c5b8d9df8dc857dfc65b9e02f4dc757
Link:
https://www.unpac.me/results/7e50f7ce-b724-4bc6-9b96-dd393dac3cb4/
SH256 hash:
7d451f7052e87d9c1e305565002f200d5e2e43fe04a773ad1d72f1f220fcff88
MD5 hash:
b23c837864ed6c0c0986b0de17ac063a
SHA1 hash:
44cd1740ff99efe039b0b9f23caa8158b46a9ed6
Link:
https://www.unpac.me/results/7e50f7ce-b724-4bc6-9b96-dd393dac3cb4/
SH256 hash:
42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
MD5 hash:
843a464386ed0cc841876171f03cd244
SHA1 hash:
4e987e9dc5cf15dfe21ae10b88e98fec4da33051
Link:
https://www.unpac.me/results/7e50f7ce-b724-4bc6-9b96-dd393dac3cb4/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42d4821835c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/453772/

Comments