MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51
SHA3-384 hash: d42a359f4591144329e7c6b2bd45ebc4b03afa075475ccb3f29c03331a7524e4e0f22c2e292af1c53d9faf3dfe5eac60
SHA1 hash: 6186b50b0fac27a4d9b7bd2a5ff5181ec0a93c49
MD5 hash: 998da53d4066bf4dae0b69cce46fbce5
humanhash: indigo-whiskey-timing-mountain
File name:Purchase Order No-SG11007893_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'984 bytes
First seen:2023-01-30 09:04:08 UTC
Last seen:2023-02-06 07:14:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:vW/vLTal2upkVeAkDSlmTXfMcW/Ecq5T7JS1dizjcBFjCfuXdm4S4w1gzs48MI:1ljceJDSYzfMh/EcCPJSvXYw
Threatray 26'014 similar samples on MalwareBazaar
TLSH T1FBF4230176B887AAC51D08F89CB86E059BB43D14E4D3D729BDE335CE593FB80805B69B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Purchase Order No-SG11007893_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-30 09:14:21 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/6885079c-02c3-4c92-9465-069c19878a6b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358191/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d78842696b2d972574e3d7/reports/f14f8a61-62ef-4fd1-b564-5f232814c25d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/287bc99f-b7a4-4f9d-b1e5-06faa36938f1
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161392
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 11:00:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyfhxsqp2m4h362ebw4wo2unpbejjwpe5q24mhsimzlyxlcg3viq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2cda1f1ecc55ccc96d8f7fbea495aeee672af24c8586608ed5e8882a7d451d7c
AgentTesla
42c62f61b68113876875636bdae131773cb34e6c0e6e656662ec68d8b34b0c13
AgentTesla
4e2bdf836d194b0403c2692bd0f6d3f113eda05b3e6925c88e0e2d7899f2a595
AgentTesla
58065e837fa1f0b7195e98af39a86a43c28a44491b5c78a97b5577c20f498c5a
AgentTesla
8c0726ab5d6f41c5e8d123d8c2444eb709543ee350dcecfe6e5190ddfe32e337
AgentTesla
ec84bde980efa561e8c00450fc300a499497d96d5adb5d1d3d587f1ada6549dd
AgentTesla
fb57bf3906e35fa723bd56e5ba74138996ce7db73f1d6fd9cf18ac03f017b434
AgentTesla
+ 26'004 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230130-k17ctahh24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/d16d9de0-20ac-4aab-a96c-25a049074873/
SH256 hash:
c75ccb1a5b4a0fc08251048105696b3b7eb8d270ad1317b5277a8dd8d37472b1
MD5 hash:
29adbabd1bd6f1b4905e8fbb404c4c0a
SHA1 hash:
9f3fb1a294c11a85ced4e05d8c555dc2598ea520
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/d16d9de0-20ac-4aab-a96c-25a049074873/
Parent samples :
718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b
4e2bdf836d194b0403c2692bd0f6d3f113eda05b3e6925c88e0e2d7899f2a595
42c62f61b68113876875636bdae131773cb34e6c0e6e656662ec68d8b34b0c13
ac6e353a17337ed2a5b17500d60f5c74c71d479fd88ce124f256fe09b1378798
e38b4383a70321dc1aa407523474413fe583399fe638aad66fe9113096a8b203
ec84bde980efa561e8c00450fc300a499497d96d5adb5d1d3d587f1ada6549dd
460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51
33688ef783b3f8913608927cc25e28bb4a7097a2636d734af213956c60178784
SH256 hash:
c9f028302861ce29f7ddd2fbec2d64147c80f9d681cabd6cc09f8f0799880f07
MD5 hash:
d04b2e3485e5e580769c03c443d84d7c
SHA1 hash:
5fe55122fac9bda9980eda3eb9d257b9c851cdfd
Link:
https://www.unpac.me/results/d16d9de0-20ac-4aab-a96c-25a049074873/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/d16d9de0-20ac-4aab-a96c-25a049074873/
SH256 hash:
03574eaf74175e0f78f2718d02c1346f1cad1c85b4dadc2dbc1f21568e4608d8
MD5 hash:
cc62b9f82817662639f3fe2083321324
SHA1 hash:
02fb26ad22acfdab6dd75154f02646906b7accff
Link:
https://www.unpac.me/results/d16d9de0-20ac-4aab-a96c-25a049074873/
SH256 hash:
460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51
MD5 hash:
998da53d4066bf4dae0b69cce46fbce5
SHA1 hash:
6186b50b0fac27a4d9b7bd2a5ff5181ec0a93c49
Link:
https://www.unpac.me/results/d16d9de0-20ac-4aab-a96c-25a049074873/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/460a7bca0fd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/358191/

Comments