MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 479a22f7d237f106a309d15b940df13eaba43c1a13bde3e99e85d493b5cfba75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 479a22f7d237f106a309d15b940df13eaba43c1a13bde3e99e85d493b5cfba75
SHA3-384 hash: 4ba901ffb55ab11ff1e32d7d18720b76f5ea4141a65d92b5c0c56be7b71fe01bae87569e163dc6147d9e3e0241bea607
SHA1 hash: 6a03b304f61e11f58fb924f1b09bfdb2889f712f
MD5 hash: ce0ecdff71a09264656f0c1bd8e16042
humanhash: bravo-lamp-mississippi-utah
File name:76543456887545.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:320'357 bytes
First seen:2021-09-22 05:44:45 UTC
Last seen:2021-09-22 07:14:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:b8LxBqUdQEVgNgs4U7EdCqGBcUgYqrtz/e4lWVxP8w+wiuiaUoCwNdfLRLL6LKUx:nUdQEy2ZC7GVYqrtbe9xz+sUojfNmKk
Threatray 1'081 similar samples on MalwareBazaar
TLSH T1A264124DE9C0D9B3F5A289B186B33F76E3BE4358815298438B783E7878728D6535EC11
File icon (PE):PE icon
dhash icon 4f07090d0d014f8c (47 x SnakeKeylogger, 17 x Formbook, 13 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
76543456887545.exe
Verdict:
Malicious activity
Analysis date:
2021-09-22 05:47:29 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/475d8bb8-d7ac-432c-aada-98640c1b79bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190039/
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Ransom.CloudSword.F4A32C08.31399.2779.UNOFFICIAL
Create hunting rule

Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76b3a4f0-23fb-4a00-b47c-ca6cadf77f37
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855329
Signature
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/479a22f7d237f106a309d15b940df13eaba43c1a13bde3e99e85d493b5cfba75/
Threat name:
Win32.Ransomware.CloudSword
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 04:12:19 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6ncf56sg7yqniyj2fnzidprh2v2ipa2co66h2m6qxkjhnopxj2q._file
Verdict:
malicious
Similar samples:
69e1e65f93b1939bf2677660efd59acec32e6f340134ea03f5c5abe17682c875
AgentTesla
834833adf2996b1c2846f36b48aea5ec0b71fd7f14e314baacd3755d27825197
AgentTesla
ab3bd41484af4af797f93d64c2c420accfdb426c635bdcbad90bfef989b2f4db
AgentTesla
ca902120a48485659c09e272fcd1708054502f82d4fa85a229d62ab6452abc54
AgentTesla
d09a787825612ddedc0739ec53154c849e80ea431373ddaf0c5fb988ed30b8be
AgentTesla
e0da065f5de30c5ba0f494a5e042fadef310039fef35896a61756d49c6e21611
AgentTesla
f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127
AgentTesla
f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b
AgentTesla
+ 1'071 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210922-gfqyjsbeh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
3951319df91b2dd7dad186a773ed334f827698c3602720e6a07cf18e735709a5
MD5 hash:
2cc0ab692ccc004d8ea454f4efeb6222
SHA1 hash:
3512966caef0e0e069eb86c25a4ae5b3de32ca32
Link:
https://www.unpac.me/results/0bf68c4b-aa1b-4433-9e97-d819caff6cc7/
SH256 hash:
fcbdfcb476d82df9db3b85b2b68118b251e184a368fc8095c176732058b36fc2
MD5 hash:
1c57aac8861c5d6969e74dd3526bf805
SHA1 hash:
087dc71f3e1a12ea197805b9d272e50749413976
Link:
https://www.unpac.me/results/0bf68c4b-aa1b-4433-9e97-d819caff6cc7/
SH256 hash:
479a22f7d237f106a309d15b940df13eaba43c1a13bde3e99e85d493b5cfba75
MD5 hash:
ce0ecdff71a09264656f0c1bd8e16042
SHA1 hash:
6a03b304f61e11f58fb924f1b09bfdb2889f712f
Link:
https://www.unpac.me/results/0bf68c4b-aa1b-4433-9e97-d819caff6cc7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/479a22f7d237f106a309d15b940df13eaba43c1a13bde3e99e85d493b5cfba75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 479a22f7d237f106a309d15b940df13eaba43c1a13bde3e99e85d493b5cfba75

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190039/

Comments