MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
SHA3-384 hash: e1b6d031d6acf94c35693b9ffa0114e1bce0d41eedadbf75b1dd75417c77337f9fbbcee7ed12b07e0105f5d8e3b93903
SHA1 hash: 3e8db21fa24be973521f87bb3076f55390fc3622
MD5 hash: 1ed5ad3e9e507982677854ddffae0bfc
humanhash: black-victor-violet-montana
File name:Purchase Order (PO) PO 00197086.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:672'768 bytes
First seen:2023-10-02 09:20:16 UTC
Last seen:2023-10-02 11:58:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:tpmNumB0apppiZ/5bP9fU7re+s3oLSPGi7l96MEQGNVVQVsk/yBiXsLRA9v8Cp:Xty3DWRbVfGKjR5hTGNQuk/ycXyA9v8a
Threatray 126 similar samples on MalwareBazaar
TLSH T167E42211A6988B15C83483FA0464B6220B75ED37781AE79C9EE57BCB8E57F34070BB53
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452583/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/651a8b8183a0c6425d04bb2b/reports/26121b46-469a-4879-be46-16f8301a94c5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5146dba6-bf9e-4cef-b82d-cdcdd420246e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317821
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 05:11:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iv5ud5ximriuevrkbtaz37chplazxhzzx2o4v6tdd6h36xa22nfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
220eef253c87c14b996e77c9bf07902a79f83f0ba72770504f1dabeb4ebac820
AgentTesla
3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6
AgentTesla
582b83da6cb0374b90790106f9e4b8a046e9d0b24cbd725c2be985c8c0a149bf
AgentTesla
63b59f1390003e44ffbd4460d2b6811586b1aaaf155a64186397002160b370c6
AgentTesla
75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f
AgentTesla
b47036189825426c6e368fd21594aaba8dbdcf573464d2939f99da44c9874b97
AgentTesla
bdb41289aeeae3103dae4fa81bdaebb88311bcc6127b1c8c1a9afc96623adbbc
AgentTesla
efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee
AgentTesla
f031fa03b61bd7a49d1500d642e46b4701c6ed40f34a3dc063c4404c7fd5de95
AgentTesla
f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f
AgentTesla
+ 116 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231002-lbbqaaac75/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
2774ee2faeb728836a406a1c1fe7c586afee98bd2e8ed886449510d9b10f0ad0
MD5 hash:
60f18b38ce30086717491c0c6fb07bb4
SHA1 hash:
faa16dbbd107b9042369e241eae20f5e02e7f8a9
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
Parent samples :
d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44
457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2
SH256 hash:
eae295b9f95b0b618d0dae374f26e700d8b27b5a9b4c65f5872c0ba797d9a5ad
MD5 hash:
29240f36c9b7fc6f7e1792c94e62eee7
SHA1 hash:
9c13994a69dacc8f92bc5aa1d21f2c55ef5ccec6
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
eb3aa00881adf4ad4e05192f6b430e5df4f6d554bc073e803cd77a2c8b2324d9
MD5 hash:
182e7c85ed724d83e5536a9eb571506e
SHA1 hash:
47e2c51f3474e7497dc64a8ca23a7235a2b1d4e6
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
d60dec072f893a5f398ba30e3a15cb61570cb724c19751afeb2c4c659b59622a
MD5 hash:
8c865d459cbe885b9611d339deb8d457
SHA1 hash:
de13418769a5c9a2cc0050abebc928dfa7b789f1
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
ee4cee9d1c7cb63f55c120c858d15c6b6e4a1a35e7e56b97211ed4d9fcffdac8
MD5 hash:
3ddc6c097a37379cc9d2d503594fa76c
SHA1 hash:
b266e83ed79dcbc85aaf3acd988b3cccb84c55e2
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
3fd0bedc0411d2ef09bb38f50a70888b9db436aa3f1a3f6340b3957a8bf1cef3
MD5 hash:
f7e3ee72e28761ebde68a3d0e2aeea6f
SHA1 hash:
102da2e7659210602f3ccfbb7768d8478428a565
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
c2045d1ca34f14e6fe8a9cff093d89f0305c0e63cfe21e3386cee336067bd346
MD5 hash:
af179c0d95c9b86b331fd61189cfb991
SHA1 hash:
edb976e5a59b955173eeabdb4c676f6ee44c0dd4
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
fb73158d9f2da2fe8bf4bff7b05b6ed5ee9ffbdb62080deff7495be84df9e76a
MD5 hash:
70dfe78f7caceb5dd77983f76ed1da81
SHA1 hash:
c2c0f40647e9c55f0e4873d6e591f7fe4245d92a
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
6dd03bca82a9f12159e27aa15bf597797785991307c069928845f20ac7baacb5
MD5 hash:
f70cfea73d7be731f9b700e236101e6a
SHA1 hash:
3ec607f265adeed0d00bf5a3c0014103b8cef24e
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
9399379d67d92c883d80977d577d9fca052fabe153fbf1123cde6c33a7f4ba37
MD5 hash:
a8fd5506bbde4b03b196112d61d31e04
SHA1 hash:
301994a6339cc95ac2c18232488ef426ea2af16b
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
8dafc9f1a3772860880ec81ad45155e8dbfd7f64ff35bedea0cdcbaf67715a61
MD5 hash:
06f8fc59531bcbcfbf64275f0e3c3ed7
SHA1 hash:
1d6fd8ad6713900e014af2eebbd11048e94a1550
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
12c3d5ff2bd6271351659e28347c59f54d881a4658a61e04cade451d34137649
MD5 hash:
2ad89696d160892893815426b08d0523
SHA1 hash:
114bf1e5ce1c385191ecb80e539e9dac38b93d33
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
SH256 hash:
457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
MD5 hash:
1ed5ad3e9e507982677854ddffae0bfc
SHA1 hash:
3e8db21fa24be973521f87bb3076f55390fc3622
Link:
https://www.unpac.me/results/222c30de-3c80-4be9-97e3-d6af5ebf0233/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/457b41f6e864/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b

AgentTesla

Executable exe 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b
Cape
Cape
https://www.capesandbox.com/analysis/452583/
  
Dropped by
SHA256 e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428
  
Dropped by
MD5 01496a0308b401533b0ced6c940c8c88
  
Dropped by
MD5 57a3107f1b46914bf7c97ecd86c3093b

Comments