MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49263745f35d59a6845e6d654980d96ec831d0f7be41ae11a4669098f3a50740. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49263745f35d59a6845e6d654980d96ec831d0f7be41ae11a4669098f3a50740
SHA3-384 hash: eef3244b767d2a7b6bad1331c9589dff8dd3fd2bd0866d5b448a05858023d3dd4a668eccf436fa815e788ff2c6886681
SHA1 hash: 7542c49271b5d1e3a133b4e069f637090010d985
MD5 hash: 928b56211d5c652a295cdb0a9d0aeaa5
humanhash: four-paris-north-tennessee
File name:928b56211d5c652a295cdb0a9d0aeaa5
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'437'512 bytes
First seen:2022-11-16 20:36:12 UTC
Last seen:2022-11-16 23:46:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 310638d36ec921f029e67a7144e7c280 (2 x ArkeiStealer, 2 x Smoke Loader, 2 x LgoogLoader)
ssdeep 24576:CewzPTYl63HEU/tZMHGvXLnShmxxOzICN7I+n3DsmqsYImpYXM:izP0l63ztIETShmxxOzX7B3Ds7bHW
TLSH T1E365D026A79E5279E91DBB7C163478B32AF3C5C8B59013F45105650320BAB9CE4BE8FC
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 48484a4c4c4a4198 (1 x RemcosRAT, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe signed

Code Signing Certificate

Organisation:forgiato.com
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-15T23:39:20Z
Valid to:2023-08-16T23:39:20Z
Serial number: 103ec8d8d08d08a8
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 15262b319f98011999db3c7d06b8478322ac244121d8d0b37752e41e13a4540d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PL.xls
Verdict:
Malicious activity
Analysis date:
2022-11-16 17:59:34 UTC
Tags:
macros trojan opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/a667e09a-96dc-4719-80eb-7a17b867edae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335055/
Detection(s):
SecuriteInfo.com.Variant.Jaik.104121.12418.8520.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/637549ef6fda73cab64e1d3e/reports/6db92252-1155-42d4-b123-19e92f0cb9b5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9e039369-4a2e-4b8c-92c0-6ad510696db9
Result
Threat name:
AgentTesla, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115277
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747973 Sample: q44S0kQ3wZ.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 91 Snort IDS alert for network traffic 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 7 other signatures 2->97 9 q44S0kQ3wZ.exe 10 2->9         started        14 potodoki didaja gosamabo quom-lixayiya neki nar kiweh cimadop lica.exe 6 2->14         started        process3 dnsIp4 73 ej9dij3jzbiwii8gbkvjdxrxc.k4zt2xv0ir3zl 9->73 57 potodoki didaja go...eh cimadop lica.exe, PE32 9->57 dropped 59 potodoki didaja go...exe:Zone.Identifier, ASCII 9->59 dropped 115 Self deletion via cmd or bat file 9->115 117 Uses schtasks.exe or at.exe to add and modify task schedules 9->117 16 potodoki didaja gosamabo quom-lixayiya neki nar kiweh cimadop lica.exe 19 9->16         started        21 cmd.exe 1 9->21         started        23 schtasks.exe 1 9->23         started        75 ej9dij3jzbiwii8gbkvjdxrxc.k4zt2xv0ir3zl 14->75 119 Writes to foreign memory regions 14->119 121 Allocates memory in foreign processes 14->121 123 Injects a PE file into a foreign processes 14->123 25 ngentask.exe 3 14->25         started        27 ngentask.exe 14->27         started        file5 signatures6 process7 dnsIp8 61 imarket-eg.com 160.153.50.70, 443, 49704, 49709 AS-26496-GO-DADDY-COM-LLCUS United States 16->61 63 www.imarket-eg.com 16->63 65 ej9dij3jzbiwii8gbkvjdxrxc.k4zt2xv0ir3zl 16->65 49 C:\Users\user\AppData\Local\...\svchost.exe, PE32 16->49 dropped 51 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 16->51 dropped 53 C:\Users\user\AppData\...\resource[1].bin, PE32 16->53 dropped 55 C:\Users\user\AppData\...\library[1].bin, PE32 16->55 dropped 99 Writes to foreign memory regions 16->99 101 Allocates memory in foreign processes 16->101 103 Injects a PE file into a foreign processes 16->103 29 svchost.exe 16->29         started        33 ngentask.exe 15 2 16->33         started        105 Uses ping.exe to check the status of other devices and networks 21->105 35 PING.EXE 1 21->35         started        37 conhost.exe 21->37         started        39 chcp.com 1 21->39         started        41 conhost.exe 23->41         started        67 mail.pollyannaconcepts.com 203.175.174.68, 49739, 587 SGGS-AS-APSGGSSG Singapore 25->67 69 3.232.242.170, 443, 49720 AMAZON-AESUS United States 25->69 71 3 other IPs or domains 25->71 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->107 109 Tries to steal Mail credentials (via file / registry access) 25->109 111 Tries to harvest and steal ftp login credentials 25->111 113 2 other signatures 25->113 file9 signatures10 process11 dnsIp12 77 116.202.3.228, 49722, 80 HETZNER-ASDE Germany 29->77 79 t.me 149.154.167.99, 443, 49721 TELEGRAMRU United Kingdom 29->79 81 hacexq0nogu8aey7j7mjmuuoez16h9a.pjt6jrec2cva 29->81 125 Antivirus detection for dropped file 29->125 127 System process connects to network (likely due to code injection or exploit) 29->127 129 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->129 137 3 other signatures 29->137 43 cmd.exe 29->43         started        83 api.ipify.org.herokudns.com 52.20.78.240, 443, 49712 AMAZON-AESUS United States 33->83 85 192.168.2.1 unknown unknown 33->85 87 api.ipify.org 33->87 131 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->131 133 May check the online IP address of the machine 33->133 135 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->135 89 127.0.0.1 unknown unknown 35->89 signatures13 process14 process15 45 conhost.exe 43->45         started        47 timeout.exe 43->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49263745f35d59a6845e6d654980d96ec831d0f7be41ae11a4669098f3a50740/
Threat name:
Win32.Hacktool.Mimikatz
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 20:37:10 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
19 of 25 (76.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jetdorptlvm2nbc6nvsutagzn3edduhxxza24enem2ijr45fa5aa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:vidar botnet:1754 collection discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221116-zd5ysscg93/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
AgentTesla
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1893a021-b5ca-453d-8c7f-032b69d489de
Unpacked files
SH256 hash:
a7446b41453bfaeddf9106409cf6455d27506ccb63a051672c9fe2c2aacc350c
MD5 hash:
f27f556809bab5331631451982ffcac6
SHA1 hash:
4dd753b2fb17746aa1b852e49fa364917c2300a3
Link:
https://www.unpac.me/results/318ae579-2f0f-48b0-a3c8-63e6b05fcc87/
SH256 hash:
49263745f35d59a6845e6d654980d96ec831d0f7be41ae11a4669098f3a50740
MD5 hash:
928b56211d5c652a295cdb0a9d0aeaa5
SHA1 hash:
7542c49271b5d1e3a133b4e069f637090010d985
Link:
https://www.unpac.me/results/318ae579-2f0f-48b0-a3c8-63e6b05fcc87/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49263745f35d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49263745f35d59a6845e6d654980d96ec831d0f7be41ae11a4669098f3a50740

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 49263745f35d59a6845e6d654980d96ec831d0f7be41ae11a4669098f3a50740

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2417604/
Cape
Cape
https://www.capesandbox.com/analysis/335055/

Comments


Avatar
zbet commented on 2022-11-16 20:36:18 UTC

url : hxxp://46.183.220.20/77/vbc.exe