MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46ae23a0609f1f9d965f6ac0e192bb10de8b5b9c9a5bdf3d36947a009fb363ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46ae23a0609f1f9d965f6ac0e192bb10de8b5b9c9a5bdf3d36947a009fb363ea
SHA3-384 hash: 0c545e93ea4fdc52fe3e22d3c59a6c7c7ab9f0f503b0f18f583cc18018b39cd402929078c07482fca6cc374f3cff4caf
SHA1 hash: c15992230b072e19d6723e290a88a6fa24e64d35
MD5 hash: 0824057fe93e4b00d209f41dbffddca3
humanhash: black-robin-pluto-louisiana
File name:0824057fe93e4b00d209f41dbffddca3
Download: download sample
Signature AgentTesla
Create hunting rule
File size:330'240 bytes
First seen:2021-07-09 00:36:29 UTC
Last seen:2021-07-09 03:02:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:f5N5i9j8XKmW3x+3AdERxjYuJSgqiYMXzv7kJ7QygBggT16vfOfc:f/5Kj8XWLCiuogAMX277gq5
Threatray 6'515 similar samples on MalwareBazaar
TLSH T10B64020166C9E6F9C6974573DC9278F09A193F19E94C8D8B9C44BA2A3271B30C97A39C
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0824057fe93e4b00d209f41dbffddca3
Verdict:
Suspicious activity
Analysis date:
2021-07-09 00:41:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca919153-ffbe-4d92-b914-698254c5304d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170585/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13815.19067.209.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98bdbac9-0157-4c28-bd16-0a2cc77448dc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813814
Signature
.NET source code contains very large array initializations
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446225 Sample: 61WmaRG0Rm Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->39 41 5 other signatures 2->41 6 61WmaRG0Rm.exe 1 7 2->6         started        10 talme.exe 5 2->10         started        12 talme.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\talme.exe, PE32 6->25 dropped 27 C:\Users\user\AppData\...\61WmaRG0Rm.exe, PE32 6->27 dropped 29 C:\Users\user\...\talme.exe:Zone.Identifier, ASCII 6->29 dropped 33 2 other malicious files 6->33 dropped 43 Writes to foreign memory regions 6->43 45 Injects a PE file into a foreign processes 6->45 14 61WmaRG0Rm.exe 2 6->14         started        31 C:\Users\user\AppData\Local\Temp\talme.exe, PE32 10->31 dropped 17 talme.exe 10->17         started        19 talme.exe 2 10->19         started        21 talme.exe 12->21         started        23 talme.exe 12->23         started        signatures5 process6 signatures7 47 Multi AV Scanner detection for dropped file 14->47 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46ae23a0609f1f9d965f6ac0e192bb10de8b5b9c9a5bdf3d36947a009fb363ea/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 02:08:14 UTC
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b15f992f5339280a6ffcd88e12cdbd358f3fd2ea797ec96036d2d8cf62210d6
AgentTesla
1dba88d2a711e0efb588cb9465a78513b45c80736ca55b31a678993eb5d89152
AgentTesla
56b4f0d1d0a0ed41109abf11275097cfd12e8e79709f829914f6a89286606eab
AgentTesla
670b031cca042e01b07ece7021acc32ead795c2d64956c3f8754ff5f619dbcea
AgentTesla
872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4
AgentTesla
8f61c978bb49ad072955763d7591104d967c7ac3380d8ef1157bf5e158f79770
AgentTesla
96b067e320b73d73d44df9a4ccc7041deec2059fb26a2efa50a877a528ada172
AgentTesla
b18e1ff13ab870d535b0bf3640d5520271434ed5724dbea225b80e69a18912e7
AgentTesla
b419a7ab9e20433d32b0751483e81f24c3544b304399cf497f9e9f82efab2764
AgentTesla
d720d5e55684cbf894809d5963e95d6613af588bfaeb0ecfa6001beb533d0232
AgentTesla
+ 6'505 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210709-9wvymgseqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
6cae584bd71eef950cf025cd68e5750c5ae95b1582d31b304af4ff758154298d
MD5 hash:
ebf62173420e1da4b76a23fe3961575a
SHA1 hash:
b1c0e989c7ead0e26330c7b10e96786e2b3bbc7f
Link:
https://www.unpac.me/results/f0a55142-2493-4b8f-82f1-3beafb268c8b/
SH256 hash:
9e8449b55b8830170eedc4c090f591e7edab105de3326310c8051abedf317e2b
MD5 hash:
51265a7ab4c62ee18082618480e355fd
SHA1 hash:
af259d2c6ab105dfa7b6c04d7c6dea2add88ade1
Link:
https://www.unpac.me/results/f0a55142-2493-4b8f-82f1-3beafb268c8b/
SH256 hash:
c8792af0f65c89e771eace9cbe59c5bd76a3ddfbcea2d9a26e0ba228cc4fba9e
MD5 hash:
21294418ac6295a51a7503cc00899c0e
SHA1 hash:
8dd7fe8f0d4570f54123f0b6290ef644fa7eca05
Link:
https://www.unpac.me/results/f0a55142-2493-4b8f-82f1-3beafb268c8b/
SH256 hash:
46ae23a0609f1f9d965f6ac0e192bb10de8b5b9c9a5bdf3d36947a009fb363ea
MD5 hash:
0824057fe93e4b00d209f41dbffddca3
SHA1 hash:
c15992230b072e19d6723e290a88a6fa24e64d35
Link:
https://www.unpac.me/results/f0a55142-2493-4b8f-82f1-3beafb268c8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46ae23a0609f1f9d965f6ac0e192bb10de8b5b9c9a5bdf3d36947a009fb363ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 46ae23a0609f1f9d965f6ac0e192bb10de8b5b9c9a5bdf3d36947a009fb363ea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1437481/
Cape
Cape
https://www.capesandbox.com/analysis/170585/

Comments


Avatar
zbet commented on 2021-07-09 00:36:30 UTC

url : hxxp://lifestyledrinks.hu/wp-includes/cs2/01100948010.exe