MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48c43477ab6fb8f02226023692730095547d1eeaee8916dd0f0a4de7f13319f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	48c43477ab6fb8f02226023692730095547d1eeaee8916dd0f0a4de7f13319f6
SHA3-384 hash:	4a001ab417f2474e98be4a119a6663dc2dc2d70d511cb6e7100eb0efaaca26a60cf424490d8481d75af702efbfe73c39
SHA1 hash:	0f86bc0d079039b669886d120938bafdeac718c6
MD5 hash:	e9018349501430a0dfbfd1391358253e
humanhash:	fifteen-fillet-kilo-mango
File name:	SecuriteInfo.com.Win32.PWSX-gen.5830.11178
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	589'824 bytes
First seen:	2022-12-01 04:27:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:XMGU5ytXYejJ/LPsOvjuwEp304ZzzqYLaViNzHrI239jq:8+7jJ/z3uw+nzzqYz99j
Threatray	24'417 similar samples on MalwareBazaar
TLSH	T163C4129D22D54311DCAA97F1FC71548C5F32A8691F02C29FAEC3729B5935BACD222E43
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	4cdcb2aaaaaa8ad4 (6 x AgentTesla, 5 x Formbook, 2 x AveMariaRAT)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.5830.11178

Verdict:

Malicious activity

Analysis date:

2022-12-01 04:28:33 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/f02ddde4-b481-4ea9-bccf-0736de029e68

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/340962/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.5830.11178.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638845109ca9f28d251d8b7c/reports/ea2a2ad3-a34a-484f-b95e-993f4697280e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b166442-0d77-4b77-b694-4df507a2a511

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1124865

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48c43477ab6fb8f02226023692730095547d1eeaee8916dd0f0a4de7f13319f6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-01 02:40:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 40 (55.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jdcdi55ln64pairgai3je4yasvkh2hxk52ernxipbjg6p4jtdh3a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2481cea12beb2f9033adbb68a4e14e4e7c3a599e9f92141d4d687ac7932970a5

AgentTesla

62fadd6316bdca6df88219e47e507ae0e8a0076a0f084b5b7da14b750b4609f6

AgentTesla

707f1a98a3ae159f94ce852b36350c721f7dcf585797ce88008ecd6a7674879c

AgentTesla

b9b2f17e7d4822929319c5915bcd61dacdae448d66bb85c992a84c3468e8c701

AgentTesla

c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df

AgentTesla

da0cd9ef9c9d409ee82e7d6e2ac1e06a806c128b2ea97ecc80443ceddbea04ab

AgentTesla

f8cadf28d331fb0af9d2b53cca0859948cb5ab2e5f2e447c6659f481e73c7a77

AgentTesla

+ 24'407 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221201-e3pmwshd4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2be39a4c-7dd7-4e15-bdd4-3c605eff7750

Unpacked files

SH256 hash:

3d05f109735476766cc62d0f725c46cab664a207e7ade33bd0609ec1a27889c2

MD5 hash:

70e2453bfb75c38f58e2c95671f4845b

SHA1 hash:

cb1eb4bfd56fb37e8f9a3652f4629ffb4fd88307

Link:

https://www.unpac.me/results/f5854be3-6cfa-4a05-b36b-3b43f0915576/

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/f5854be3-6cfa-4a05-b36b-3b43f0915576/

SH256 hash:

db45e5fae47a5ab1d5d13a07ba9f52f0a884f07f5a768114d9ddab0c58c6ba4f

MD5 hash:

e57c4fe72b268d10e28d014e51ffce24

SHA1 hash:

9b979b48fda59593a469444a4fd2ce5e8cbd6331

Detections:

AgentTesla

Link:

https://www.unpac.me/results/f5854be3-6cfa-4a05-b36b-3b43f0915576/

Parent samples :

48c43477ab6fb8f02226023692730095547d1eeaee8916dd0f0a4de7f13319f6
03824f599477262471303ad51c7c93331e659a760f86685ca3f6393ac5127a50

SH256 hash:

01c204f72e6fa9b01b62f26c6dc61b93a4f06be678c24f912b2b1dde0be1174b

MD5 hash:

f88a046bf8e4098322897b51032de9e8

SHA1 hash:

52bfc1e3348bebf580e07e251dd0d878288a3a36

Link:

https://www.unpac.me/results/f5854be3-6cfa-4a05-b36b-3b43f0915576/

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/f5854be3-6cfa-4a05-b36b-3b43f0915576/

SH256 hash:

48c43477ab6fb8f02226023692730095547d1eeaee8916dd0f0a4de7f13319f6

MD5 hash:

e9018349501430a0dfbfd1391358253e

SHA1 hash:

0f86bc0d079039b669886d120938bafdeac718c6

Link:

https://www.unpac.me/results/f5854be3-6cfa-4a05-b36b-3b43f0915576/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/48c43477ab6f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48c43477ab6fb8f02226023692730095547d1eeaee8916dd0f0a4de7f13319f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340962/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample