MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69
SHA3-384 hash: c77ae8d3cfaaa5160c20351cc0632a326d986066515a1ecfae56e0438ca25161a130cac7ebb7b5700241a20795f085aa
SHA1 hash: ca330dde31f6e571abeb0f777305b9e3e4637f84
MD5 hash: fc10ec34c62aa33acc9b631e2a159759
humanhash: october-aspen-tango-crazy
File name:NEW ORDER INQUIRY-002692023.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:674'304 bytes
First seen:2023-04-20 10:16:51 UTC
Last seen:2023-05-13 22:53:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:VD+RJXJTxign/A520z0J+xXMZhpncur8+RxWDBLp3GuunPa7w3fUVk:wXNxi24PYEAhJvQfrWtu
Threatray 2'354 similar samples on MalwareBazaar
TLSH T140E4F129E1369DF7E2DE063900002AEDDB3996E77837C63C07A6718A9B9F7152C941C7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00e86871e8d4c400 (6 x AgentTesla, 1 x Loki)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
243
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER INQUIRY-002692023.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 10:25:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e0b8a8e-a266-456c-b104-b5b528db9691

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383729/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Siggen3.29490.30434.5285.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644111455cfa4694c2d82316/reports/d5c3e067-8afd-4cf5-b9b6-408b3fc2921f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0747dec-7ab6-4e64-bbb0-cf03e4ca2035
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217871
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=in6umtajbfr7mvmn4qb6dr3qmucdryqsrur6wubmeamojcpc35uq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0447c43cc9d78ef162784c4ae1ce6baa8289f9c159ec6baf735072a93bb51a88
AgentTesla
13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
AgentTesla
60fb3a013ee75a17b50bd11ea23d64fd8e656594ecedcbae4f0e96670d658914
AgentTesla
74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c
AgentTesla
c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
AgentTesla
d9c078eee29bbf1fa6676ddad6c290a903d4485a56c8a31c50e4c639680a1a00
AgentTesla
e140afebb983de95cb1dd97095f73929c26dd35d5773c170c95c94b7af5023bb
AgentTesla
e79b787e97db18226583aa9c61b0b6bb5de29945714c74636eca2cdf4947cb11
AgentTesla
fbb8dd09df0e0c79dcf488c021765e4fa915ca3a490ea45a78b622565e920f1a
AgentTesla
fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
AgentTesla
+ 2'344 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230420-mbebvahb92/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
37e10f1060e9b0f2de1811a988f6176e0d09b9cec4ccfa1ccb410206deda854b
MD5 hash:
52318e90fdf4eed034bcc86cbc1815e5
SHA1 hash:
8fec849cb22e20b458850943fe965aa70ca59e7d
Link:
https://www.unpac.me/results/2034bdd3-864e-4c6a-8395-047e983f0dba/
SH256 hash:
fc7bf3ba13fd76b83d5bfc0db92eff456776dc8272b9698628965f40ed9ce941
MD5 hash:
2d094812959b508b33087a91628f504b
SHA1 hash:
7ae1f08b5e7847952542a68b10e52625a25f5d3c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/2034bdd3-864e-4c6a-8395-047e983f0dba/
Parent samples :
e140afebb983de95cb1dd97095f73929c26dd35d5773c170c95c94b7af5023bb
437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69
SH256 hash:
a9f23a97db636c02f2f46e5daae8aefebaf10daa020ad5eebd5f17c1e1f42514
MD5 hash:
5fcd6b8318a5b79f42d2b453798def2f
SHA1 hash:
7608a30ebea20ebb6719257f09a82f4a62091322
Link:
https://www.unpac.me/results/2034bdd3-864e-4c6a-8395-047e983f0dba/
SH256 hash:
e33d7c6cca46cf1e51d3948de62b55f1d42ee1cf316b0eb3540d8c2334507e62
MD5 hash:
adb3e3b7d64936d54e8d4d1e85c799d6
SHA1 hash:
6382200ff35076458a50dc910de6c117ff0549ad
Link:
https://www.unpac.me/results/2034bdd3-864e-4c6a-8395-047e983f0dba/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/2034bdd3-864e-4c6a-8395-047e983f0dba/
SH256 hash:
437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69
MD5 hash:
fc10ec34c62aa33acc9b631e2a159759
SHA1 hash:
ca330dde31f6e571abeb0f777305b9e3e4637f84
Link:
https://www.unpac.me/results/2034bdd3-864e-4c6a-8395-047e983f0dba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 437d464c090963f6558de403e1c770650438e2128d23eb502c2018e489e2df69

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383729/

Comments