MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d
SHA3-384 hash: 6e3374f48b6611c510fd3d3c76c36b55e290f804b9259f9aa676b7e379faa51241fb7b5e773b9db65fccb68fb14c174d
SHA1 hash: b5dd6f599976055074386fd8958273d4478dc737
MD5 hash: afe3645cd8498f1a9adc124c28e5ca94
humanhash: kilo-stream-mirror-eighteen
File name:FİRMA PROFİLİ VE ÜRÜN AÇIKLAMASI_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:722'944 bytes
First seen:2023-04-24 09:21:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:llls8szJ/lOfJZO+LMvGG2wHgb1LMt8M5vwM:llllszJ/l+vOKiGGb6LMt8k
Threatray 648 similar samples on MalwareBazaar
TLSH T19AF4CF2B621ED4B6D15E66B3D1E917FB0F1D2ECAEE79A0430BA87DD431723B90B48441
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter spatronn2
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FİRMA PROFİLİ VE ÜRÜN AÇIKLAMASI_PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-24 09:23:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72c620d3-cabe-40a3-a387-d32e28d7c284

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/384497/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64464a3b1ef9122678a31557/reports/cf639632-528c-4013-9c6e-79a2089dc52b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ded9d22f-e36d-407a-9754-df02c1e49361
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219840
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852786 Sample: F#U0130RMA_PROF#U0130L#U013... Startdate: 24/04/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 8 other signatures 2->51 7 F#U0130RMA_PROF#U0130L#U0130_VE_#U00dcR#U00dcN_A#U00c7IKLAMASI_PDF.exe 7 2->7         started        11 XQQHpLNqSflfd.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\XQQHpLNqSflfd.exe, PE32 7->35 dropped 37 C:\...\XQQHpLNqSflfd.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp81F4.tmp, XML 7->39 dropped 41 F#U0130RMA_PROF#U0...KLAMASI_PDF.exe.log, ASCII 7->41 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 F#U0130RMA_PROF#U0130L#U0130_VE_#U00dcR#U00dcN_A#U00c7IKLAMASI_PDF.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 19 7->19         started        21 schtasks.exe 1 7->21         started        59 Machine Learning detection for dropped file 11->59 23 XQQHpLNqSflfd.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 api.telegram.org 149.154.167.220, 443, 49696, 49698 TELEGRAMRU United Kingdom 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        61 Tries to steal Mail credentials (via file / registry access) 23->61 63 Tries to harvest and steal browser information (history, passwords, etc) 23->63 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 07:23:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i64v2ujkvwnz7ojrvwprsn6irez7w26w4hodv7ra6gc5odmwpfoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
25dd001a5f16216d73a254e8ce18fbe6730d4570b5802b4c7ef7650f8fe17061
AgentTesla
2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8
AgentTesla
321cacca1d81268ded64db8dfe9325631165d5000d4d2966564f6c6f7fb383d1
AgentTesla
4164d3bec950ac04c1a2e8edc8b4bccc4526daa5400e011c2622e9b08c720901
AgentTesla
74c836dfe668140a6936e71347ac8eafd517ec914d7201666081f99c2a6ae846
AgentTesla
8943593e7957a1ec506da8328e3b1fbe8447e6daf23992e007756ba79a13c095
AgentTesla
98d4406e8ee40991fc7008774e833e0b6cf758ffedd7e06023a926a06646591d
AgentTesla
d74b7b3c23e3280b35cd8c6730912b8d04412c0ed4dbc13d06182a44f38e4a69
AgentTesla
f2880cca891b77df9616dcad027fbba4e2e3425a5c0e3a91ee4a6035572053e2
AgentTesla
f3aa635a38f6737c7250e72a15aa596ca55d1cf31398bdcb7c5c6254cadbabf2
AgentTesla
+ 638 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230424-lbwqfsah57/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
a209d156256ea20fcf1359a9ad39df396218fb474acb4cbfc859eb524887e405
MD5 hash:
6cbe5f0daab8b3add38250a699deba23
SHA1 hash:
bf1153517e9de5522b2d45c3d4fcd40331e299aa
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/a7b25385-995b-46da-b0ad-7cce6ac8cd67/
Parent samples :
2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8
8943593e7957a1ec506da8328e3b1fbe8447e6daf23992e007756ba79a13c095
47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d
5c76a96da653327e6693cf7b0cd13af04dccdc8cab2692fdb707b293c197c2ee
32758fc5150d78fc2eb377d6a3468e199a6d2f3222070c2a7f72b90bfbd95759
139108c63c1c7cddfa8ab353bfd2c9540349be90d4e8ec1f4c21249ed57ec109
a8e0587c11c94b01dbfa35ab575d6ff9987aea21eeec5e1136445cbd4bf50c99
9f9ef502a14f6985947ff8aed129252f4db71d4ab29bb2cd11b533ce1fbf3102
e1a441bbf7f86c4a4ae14f1a62301dffeef1261a53e6829eaa9085d666e14bf1
SH256 hash:
65432e83ae0084511995b26f09d1b4853e6ff6a53b442dadc69748ceb8f0be34
MD5 hash:
86e6ea6571bcda799f849c10aa4d28f9
SHA1 hash:
a6ade05fc149968098fa7b6f88a54b13385499bb
Link:
https://www.unpac.me/results/a7b25385-995b-46da-b0ad-7cce6ac8cd67/
SH256 hash:
76260847051d8db6484c67af4aa71e2d457b40a2208bb9f84786fa3638046172
MD5 hash:
721a63430619f3fe4f0783b666948dc6
SHA1 hash:
a9a2830974f41ad4a61531a002ca5672a9ff6c51
Link:
https://www.unpac.me/results/a7b25385-995b-46da-b0ad-7cce6ac8cd67/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/a7b25385-995b-46da-b0ad-7cce6ac8cd67/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/a7b25385-995b-46da-b0ad-7cce6ac8cd67/
SH256 hash:
47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d
MD5 hash:
afe3645cd8498f1a9adc124c28e5ca94
SHA1 hash:
b5dd6f599976055074386fd8958273d4478dc737
Link:
https://www.unpac.me/results/a7b25385-995b-46da-b0ad-7cce6ac8cd67/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47b95d512aad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/384497/

Comments