MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4695413b297cf904ac6c3d757c44bc2ee4afa9f4def2c556b30af20c4f5712b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4695413b297cf904ac6c3d757c44bc2ee4afa9f4def2c556b30af20c4f5712b3
SHA3-384 hash: e4dce197ab5e7e661feed29165eaf6fc91d65d24d52116feb0a015db29c99d7fa9ec905c318e0ef77f69e7e409be4e14
SHA1 hash: 53d58152285d30aeffa8f9d7d9f5a7f2cabf91ac
MD5 hash: e5bf3b3af26c061cfcff40b69ff456e9
humanhash: alabama-carpet-oven-zebra
File name:YOUR_EMA.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:423'936 bytes
First seen:2020-11-17 19:55:44 UTC
Last seen:2020-11-20 00:40:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:QUm7AbR979jy2VgY83p41QCct9P1BXE8zQRP6NdtBwwfe:QYR9NVxQ31BXnvBm
Threatray 480 similar samples on MalwareBazaar
TLSH 5D947D723D93986ECA6E07711065C5C1FABA2EC73F958B0DF19A730C0E11A1BAB57247
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/539886
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4695413b297cf904ac6c3d757c44bc2ee4afa9f4def2c556b30af20c4f5712b3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 19:50:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2kucozjpt4qjldmhv2xyrf4f3sk7kpu33zmkvvtblzayt2xckzq._file
Verdict:
unknown
Similar samples:
16a4855bceb4df02e0478cd72972a6e7f144f2278fedb239c2cb696cf6bf7199
AgentTesla
223c38be022bf37ef243556438ecd472ae67bbb46fcf0e7ce4ea3173260141e9
AgentTesla
83a00cced5b83593db2ff0ce7f23937ba5b836b28969c1a0d481a6e9fbea5f53
AgentTesla
a83497c7e3335390441e23f19360eb02a9f9e0613afe56bd0743e1502e1d01df
AgentTesla
b511fbc6adf655af3e693e7a7081e62f26eacd616273f625a8e9c3568420e1fc
AgentTesla
c3c933e8d5ebaa421d67aaf4c26be3c0368992133c3105fdd935470128910f6c
AgentTesla
cf68e1b1e8e89cf03b0d721957c794936947c8cf5f8c30401c20e075e4b37c6e
AgentTesla
f24849d70670b5448e96f02fe8bc12328bee2922be60f70ec8121531778f0d05
AgentTesla
f332ebde8b3dc026728bf80e7edd9b0c0809e8df2e28f6baabaaa3327a295dca
AgentTesla
f4e60792b136f02c28fd35322ee58bf723aeaa3611d286417d8b2b0707612cdc
AgentTesla
+ 470 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201117-rkjxxvr3aa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Drops file in Drivers directory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img cf57cf81bef15492e3b045486e9f1c780760f42f6a9776ed7cb6acaddb0724a5

AgentTesla

Executable exe 4695413b297cf904ac6c3d757c44bc2ee4afa9f4def2c556b30af20c4f5712b3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 cf57cf81bef15492e3b045486e9f1c780760f42f6a9776ed7cb6acaddb0724a5

Comments