MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d
SHA3-384 hash: 5e8198d7ede3502fdcf082af7ff489227a287921ae587063fc436f39a9d60d09fb0b804d40100adc98b619608bbdb599
SHA1 hash: b46576ad4b73ef39c663401fd832e53d7b33ed4d
MD5 hash: 3c829ae5984747635a996b6ddc66446b
humanhash: mango-asparagus-failed-india
File name:SOA 023.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:415'704 bytes
First seen:2023-09-05 11:30:58 UTC
Last seen:2023-09-10 14:03:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 12288:/YIDgv2hE7h1CYvYICN4WhS51OgdTvcc7:/YID67hM+InhSrOgdTvcc7
Threatray 5'577 similar samples on MalwareBazaar
TLSH T1B394233827E5C2B3CC5667F15DBEC75B97B9EA30DD74850B63980A0E3A362006CC9796
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
278
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SOA 023.exe
Verdict:
Malicious activity
Analysis date:
2023-09-05 11:33:26 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/1476f401-38e0-4cbf-9781-ac28330d8e5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446304/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.FileRepMalware.13403.1752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for the window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64f71178c95366b9efff7576/reports/361bcd0a-7b41-4b45-9945-e27b0d9e3245/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a006056-1731-4469-b9fa-1032640544ba
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303471
Signature
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303471 Sample: SOA_023.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic 2->81 83 Found malware configuration 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 4 other signatures 2->87 8 SOA_023.exe 18 2->8         started        11 oxhdmirbwg.exe 1 2->11         started        14 oxhdmirbwg.exe 1 2->14         started        process3 file4 41 C:\Users\user\AppData\Local\...\xwmwofimm.exe, PE32 8->41 dropped 16 xwmwofimm.exe 1 3 8->16         started        89 Multi AV Scanner detection for dropped file 11->89 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->91 93 May check the online IP address of the machine 11->93 20 oxhdmirbwg.exe 14 2 11->20         started        23 conhost.exe 11->23         started        95 Maps a DLL or memory area into another process 14->95 25 oxhdmirbwg.exe 2 14->25         started        27 conhost.exe 14->27         started        29 oxhdmirbwg.exe 14->29         started        signatures5 process6 dnsIp7 39 C:\Users\user\AppData\...\oxhdmirbwg.exe, PE32 16->39 dropped 67 Multi AV Scanner detection for dropped file 16->67 69 Detected unpacking (creates a PE file in dynamic memory) 16->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->71 79 3 other signatures 16->79 31 xwmwofimm.exe 17 3 16->31         started        35 conhost.exe 16->35         started        43 mail.asiaparadisehotel.com 20->43 45 104.237.62.212, 443, 49726 WEBNXUS United States 20->45 51 2 other IPs or domains 20->51 47 mail.asiaparadisehotel.com 25->47 49 64.185.227.156, 443, 49737 WEBNXUS United States 25->49 53 2 other IPs or domains 25->53 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->73 75 Tries to steal Mail credentials (via file / registry access) 25->75 77 Tries to harvest and steal browser information (history, passwords, etc) 25->77 file8 signatures9 process10 dnsIp11 55 mail.asiaparadisehotel.com 112.213.92.100, 49725, 49729, 49738 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 31->55 57 api4.ipify.org 173.231.16.76, 443, 49724 WEBNXUS United States 31->57 59 api.ipify.org 31->59 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->61 63 Tries to steal Mail credentials (via file / registry access) 31->63 65 Creates multiple autostart registry keys 31->65 37 conhost.exe 35->37         started        signatures12 process13
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izxjz7zyc7sqgnsp5ml3mppn5atgnwlw2e7zdunbxsf7xf6rgv6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b29005d1fa110dfb5b924c879e64d7d4cce8af163f9e6853e4bbda2c298acf0
AgentTesla
4cd6dd9de06bd8011fe535066deb5e24c3eec032391a95a4cc1ad0a6a7351d98
AgentTesla
51a15921691e898e879b022164f0cfd0cacdd2214116ac176dab7b9d124f8bc9
AgentTesla
69d31a62dc0f4c9faffbe33f0c65dfa6240ef17dff57cc5ccc1a15f1219c5eb9
AgentTesla
71abfe67023b4b2085b187859621c1a5ef06fc8c8eafb4d084881a62a47ffc61
AgentTesla
b391e7e830edbf4c165f4e3d6b54c7a0e69a4a6f1341f1a2db53bc9c6ac53209
AgentTesla
bab5aa60f42a897087607c0ba3e9ccf47ece8f56a34b4d6df7177c64bd526113
AgentTesla
ecc7eaf66af67a95b00a9ed1030b779043987b135e2e09f506b8e668cb33c816
AgentTesla
+ 5'567 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230905-nmp36afa8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
25b42ef027aae6aca90bef38625d5a21d7a2f43e9ac6b3a36040c431e350fc3b
MD5 hash:
32b4bacfa171adf28ffac1bfb3b2fee4
SHA1 hash:
a015cfe1c7aea2ef66a5f33c59e89e9ffb237f65
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/e0ac3c8b-73b3-46c9-abc8-355e44e59168/
Parent samples :
71abfe67023b4b2085b187859621c1a5ef06fc8c8eafb4d084881a62a47ffc61
69d31a62dc0f4c9faffbe33f0c65dfa6240ef17dff57cc5ccc1a15f1219c5eb9
466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d
SH256 hash:
92c0dc8896d63a6d6f22de9ba6645d7b321456a09ab1509a790c771999b5e724
MD5 hash:
5792fdadacb62ea6231ec28353acaef0
SHA1 hash:
a232ba1d52faae84064838c55061435ae695251f
Link:
https://www.unpac.me/results/e0ac3c8b-73b3-46c9-abc8-355e44e59168/
SH256 hash:
466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d
MD5 hash:
3c829ae5984747635a996b6ddc66446b
SHA1 hash:
b46576ad4b73ef39c663401fd832e53d7b33ed4d
Link:
https://www.unpac.me/results/e0ac3c8b-73b3-46c9-abc8-355e44e59168/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/466e9cff3817/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 651e67d3847b133e30c49ec1a11288870d71107da7c001fe2cc988c6ccd1096a

AgentTesla

Executable exe 466e9cff3817e503364feb17b63dede82666d976d13f91d1a1bc8bfb97d1357d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/446304/
  
Dropped by
SHA256 651e67d3847b133e30c49ec1a11288870d71107da7c001fe2cc988c6ccd1096a
  
Dropped by
MD5 5b672d1e9b0dea8de1f0e93ac7c03582

Comments