MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4537bd6b13f1ac9554adcb1339bbb385db3606b4a2fc48d7906fc48c065f2531. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	4537bd6b13f1ac9554adcb1339bbb385db3606b4a2fc48d7906fc48c065f2531
SHA3-384 hash:	e7a0e7338189c777732b69e7bea5e652b756f6f2710c5718843d7c805bd3a2ff2bafa8e56885ff0abcbb160e2ab8135b
SHA1 hash:	97e503f2e10f94d4d4388d4a14e540e9eeeb0aa4
MD5 hash:	f7a79f1d3e9b2058896ec8e6af1e5bc7
humanhash:	magazine-muppet-north-wyoming
File name:	Rechnung 3199900-331_PDF.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	363'504 bytes
First seen:	2021-12-03 13:35:17 UTC
Last seen:	2021-12-05 07:17:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:rGiup4q6N1RPWPyzZ1H6D61SRu74A9qAps9A41r38k11gtX:K/aFd6PuUDApAMkMR
Threatray	2'262 similar samples on MalwareBazaar
TLSH	T135742325BEC885E2DF850931283396BED7F3885A474D40335B179EB5BAA54D39F4C423
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Rechnung 3199900-331_PDF.scr

Verdict:

Malicious activity

Analysis date:

2021-12-03 13:37:13 UTC

Tags:

installer trojan rat agenttesla

Link:

https://app.any.run/tasks/1b2e3ce4-290b-4b41-82eb-a5cd73aed8da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/211047/

Detection(s):

SecuriteInfo.com.Variant.Cerbu.124928.8270.5425.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Using the Windows Management Instrumentation requests

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/660/overview

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61aa1d444d8e6f3a5e0d4320/reports/78fe5645-86eb-490a-a2c8-299bf17d9d3e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29c2c5f6-0a64-4b9c-a3e7-675d530a6b29

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/900882

Signature

.NET source code contains very large array initializations

Antivirus detection for dropped file

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4537bd6b13f1ac9554adcb1339bbb385db3606b4a2fc48d7906fc48c065f2531/

Threat name:

Win32.Infostealer.DarkStealer

Status:

Malicious

First seen:

2021-12-03 13:36:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iu3322yt6gwjkvfnzmjtto5tqxntmbvuul6erv4qn7ciybs7euyq._file

Verdict:

unknown

AgentTesla

24a163dbbbd12e458bcbcfa3e9707da5c7364369060344f062ef46dbf208169d

AgentTesla

4c2cf0f1e283c82276b179dc32846808c6089f418da35804663b7bc9056321d1

AgentTesla

7b12e253b0bf89ef0535a8dc539361954c67511bcdbc709060c0b1e6ed539cb6

AgentTesla

8b79dcff7e5007961448d9baeb7fa7ef65c399166b5250c982084b22899466cb

AgentTesla

a011e1e509dff0f1b642423ef78cd2bb5cf22f9309cd59661b5bca2090318d7d

AgentTesla

d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475

AgentTesla

e68eaf634e7dbf615e60d315a40f6bf225c06ce933a4ae193ef8b63620640447

AgentTesla

eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05

AgentTesla

+ 2'252 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211203-qv874sbgf2/

Behaviour

Enumerates physical storage devices

Unpacked files

SH256 hash:

4537bd6b13f1ac9554adcb1339bbb385db3606b4a2fc48d7906fc48c065f2531

MD5 hash:

f7a79f1d3e9b2058896ec8e6af1e5bc7

SHA1 hash:

97e503f2e10f94d4d4388d4a14e540e9eeeb0aa4

Link:

https://www.unpac.me/results/a613fb4f-7589-4ca3-b8f0-a5d8f6386156/

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4537bd6b13f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4537bd6b13f1ac9554adcb1339bbb385db3606b4a2fc48d7906fc48c065f2531

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 4537bd6b13f1ac9554adcb1339bbb385db3606b4a2fc48d7906fc48c065f2531

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/211047/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample