MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e
SHA3-384 hash:	fdcbc629039c6c38b91a24d28c947d148d16af6215ba94fc1c516486788b57dd64c903ce08e5b33274cd2e42c8266cd7
SHA1 hash:	b563cc1c326699fc8556bb13b3bd9265beedc0de
MD5 hash:	22a9b282c0942875f9f99aeeb7503bf1
humanhash:	connecticut-venus-yellow-four
File name:	PI.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	893'952 bytes
First seen:	2023-05-19 11:48:57 UTC
Last seen:	2023-05-20 15:19:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:v2iNfUFotEvZ412FX6vGIJ4XWfiTBSC8WU0UtuH5T2J3jHuR:v1Bs0qZ4MHJmsoCy0UtugJDS
Threatray	3'921 similar samples on MalwareBazaar
TLSH	T14815C050E6E9DADDD4240BF0A1D3D4F407261D28E1E8EA570EDB2CDF31BAE44216663B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	threatcat_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

257

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PI.exe

Verdict:

Malicious activity

Analysis date:

2023-05-19 11:50:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/35ddcedd-e525-4085-b845-8b21febc5577

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/6467622f6afc92605683cf61/reports/e9e7c56f-593d-4dec-a112-8bd777b76fcb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1a444f8d-0c25-4767-a62b-3cb066ee807b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1237148

Signature

.NET source code contains potential unpacker

Found malware configuration

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-18 05:56:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jcuqosvc527hesy6tu4cryxlhkyp32gtodxxczjll77ejt2rgixa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

271d3e8dfec86cdeb02be2c1d29e4717dae69d8edfb088bdf67b3da85fbacf30

AgentTesla

480f492220e396a90c861da2d9b9a19940824b9855ff1d4b77ffc93c60e33661

AgentTesla

5ee727653b9e6ded021959d91650e3d23c1586b14ed1d22d84c8b3cd5f7e634a

AgentTesla

a49ecccd91988526d45088a50cb554ad8733ce0cea724da92f9a5f9366629945

AgentTesla

b2ce7ceab077d4acc80f9af0b23024ded5c8c52512ba8e5165fe7319cd4a5f6c

AgentTesla

dac89be8aa934890907a63a2dfc1222a2718c81bec983c0da3a562c7724869b8

AgentTesla

ecdfd7ad19c37fcfebb876a9c64c47030e6369bd81676df58fa9e7c2ce9e72e3

AgentTesla

ed9248192c85ed4a3053e0c5bf1763cb1e39ed9514122a29542e439461c89f9b

AgentTesla

+ 3'911 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230519-ny1c9sgd6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

1e3cc948a784753c295f9acd138a6ece7c89ded7db669b4069210c70a45fe6a1

MD5 hash:

4689d879a4c3f147fb2490d71d499fb1

SHA1 hash:

ce2105b06b1833883cf7609c1f62afa88629a8f1

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/e8ddf74d-77cb-431c-9a35-c2c9ec704bd8/

Parent samples :

ed9248192c85ed4a3053e0c5bf1763cb1e39ed9514122a29542e439461c89f9b
48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/e8ddf74d-77cb-431c-9a35-c2c9ec704bd8/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

cdaeaea6ead02ec0df1c54f1dc843c41ad7dc3d2c57d588955be095930cc2920

MD5 hash:

bf6e7982ccb14275cb1538bc89c82486

SHA1 hash:

59217bf7c8b449b686f77c41faf53708db8663fc

Link:

https://www.unpac.me/results/e8ddf74d-77cb-431c-9a35-c2c9ec704bd8/

SH256 hash:

81d3b893aad0def2fc419f00eacab146e9bc389c261bab03416ebd5155ca68eb

MD5 hash:

c9f0b8319c7ca450341379fc83a29a71

SHA1 hash:

26dbd09bb76b06cad76d1076f7a38892d4cb37d9

Link:

https://www.unpac.me/results/e8ddf74d-77cb-431c-9a35-c2c9ec704bd8/

SH256 hash:

165cc9f660a5f8d03a2331b64da338019e50a8e340ae96b8bc7d10d466d69ece

MD5 hash:

f8e2ff2a95cfe9374a5d98265a9e5954

SHA1 hash:

22b1ddc075e2703318191fd5f5173e8fd9870ac3

Link:

https://www.unpac.me/results/e8ddf74d-77cb-431c-9a35-c2c9ec704bd8/

SH256 hash:

48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e

MD5 hash:

22a9b282c0942875f9f99aeeb7503bf1

SHA1 hash:

b563cc1c326699fc8556bb13b3bd9265beedc0de

Link:

https://www.unpac.me/results/e8ddf74d-77cb-431c-9a35-c2c9ec704bd8/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/48a9074aa2ee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample