MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b
SHA3-384 hash:	68ae0d6175aef798f0543e819f9da45028f7f80fa5fa594e9645bb108df1c5d43f24836b0b7eccec8fa3b8b87bb190c5
SHA1 hash:	0032798a37ba7676b23e2be80b5231d35bd06146
MD5 hash:	a1f14b0b17732341dd77e0d0a8aec92f
humanhash:	oregon-connecticut-edward-blue
File name:	SOA.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	420'458 bytes
First seen:	2023-12-18 17:25:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep	6144:Zhjmth0F6wqvh9VVecFF4Gy2FyJSJFAon10dOD2MNu2nOHUTSbM4CNDEVAdfBz:8aFd8h9il24No10sDbKfMTqWVl
TLSH	T12794CF90E94CB8EAE4DA15737A3AD42C4592AFD882F4119F73663E3455F3BC22077D0A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4a4a48c96b2f074 (22 x AgentTesla, 8 x Formbook, 5 x SnakeKeylogger)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/468320/

Detection(s):

Win.Malware.Filerepmalware-9889810-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Reading critical registry keys

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/658080acb855eb3693e4639c/reports/d1bbb37d-84ee-4584-8388-c579004f3e27/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/77d84ba2-500a-4958-8c5e-d9945bb74e3a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364065

Signature

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Installs a global keyboard hook

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b/

Threat name:

Win32.Trojan.GenShell

Status:

Malicious

First seen:

2023-12-18 09:31:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 37 (54.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jcw7ttsxggezvembwt5nq7c6rcnaifwv3bcluqperxkrohi275fq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/231218-vzt17sddh2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

7d4582c3359d3e8e3e52ffea71ad9ad48beaedcc5aa0031afdce6927cc22f2d9

MD5 hash:

1fb397d54b7b207ae08cfbd4ca1eb9e6

SHA1 hash:

aea7d05ebb2cd6436df2e830532ee95f38cf0e85

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/12acb9ce-8c9e-4412-8ab6-aad8ee885986/

Parent samples :

86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540
b894cc268212c515d0ee2d531128f79ef1b3131b6ea41a297d1b54f23dcdecca
48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b
3934d48c77cb712a0ee30371d372b3198f60e6e90b79d93dca8c972640e889c8
8923d948d703222567a78747905de70689889573e6b49baad071b06cdeb09125

SH256 hash:

41a4ca70addb594fe60b2a971810ab236fcc2e776c2b6b40a5f97c008ddcdeb3

MD5 hash:

ab3c1b75558dcf293811fe89e959c0ce

SHA1 hash:

3dd579598a7e1388cc6bde8f96a29fdd985056ae

Link:

https://www.unpac.me/results/12acb9ce-8c9e-4412-8ab6-aad8ee885986/

SH256 hash:

48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b

MD5 hash:

a1f14b0b17732341dd77e0d0a8aec92f

SHA1 hash:

0032798a37ba7676b23e2be80b5231d35bd06146

Link:

https://www.unpac.me/results/12acb9ce-8c9e-4412-8ab6-aad8ee885986/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/48adf9ce5731/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48adf9ce5731899a9181b4fad87c5e889a0416d5d844ba41e48dd5171d1aff4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468320/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample