MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208
SHA3-384 hash: 214d7b45a54f8aa853f341eb449ffc0f97f7490dec56d0129c607169d1db16bf62a2e7d0c800fe5aca50e6c6adf41a57
SHA1 hash: bae6f20a78a5a5ded24076703cb043b265447b74
MD5 hash: d6a96992b306f31e83a8254d62b45fc4
humanhash: victor-happy-india-nuts
File name:Urgent inquiry_PO 20627.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:799'232 bytes
First seen:2023-11-01 13:12:19 UTC
Last seen:2023-11-02 15:04:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:bKlVCu7365TWMdl5bLts9zPBo9e87q1wqD:elVF36RWMf5yGb7ewqD
Threatray 533 similar samples on MalwareBazaar
TLSH T1A30512497A791B97DAB943FBB514684007FAA52F65A2F3049EC270EB7134F900B42F63
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
403
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Urgent inquiry_PO 20627.exe
Verdict:
Malicious activity
Analysis date:
2023-11-01 14:40:56 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/c7272175-6277-4e1d-8c2e-ba4a686a64b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457626/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2504.10035.17898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65424edea6fa5eab936cdf69/reports/a60e2878-79b6-4847-a1a1-a1d8b1da0719/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01d1afcb-ad47-41e0-b9c5-2360660b252e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335448
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335448 Sample: Urgent_inquiry_PO_20627.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 41 us2.smtp.mailhostbox.com 2->41 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 9 other signatures 2->57 8 Urgent_inquiry_PO_20627.exe 7 2->8         started        12 bDhQlocW.exe 5 2->12         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 35 C:\Users\user\AppData\Roaming\bDhQlocW.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\tmp2E09.tmp, XML 8->37 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 8->61 63 Adds a directory exclusion to Windows Defender 8->63 65 Injects a PE file into a foreign processes 8->65 17 Urgent_inquiry_PO_20627.exe 2 8->17         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        67 Multi AV Scanner detection for dropped file 12->67 69 Machine Learning detection for dropped file 12->69 25 bDhQlocW.exe 12->25         started        27 schtasks.exe 12->27         started        43 127.0.0.1 unknown unknown 14->43 file6 signatures7 process8 dnsIp9 39 us2.smtp.mailhostbox.com 208.91.199.224, 49740, 49743, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->39 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->45 47 Tries to steal Mail credentials (via file / registry access) 25->47 49 Tries to harvest and steal browser information (history, passwords, etc) 25->49 33 conhost.exe 27->33         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 06:47:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfojqjxmk3js7kg63ftohvwemg2dx6yef746ej7hl7ny6vkdkiea._file
Verdict:
malicious
Similar samples:
15f8390b37fb35a6ee1d47c60914fdea8db15bbb8137135c05bbddfa2c6c2c0d
AgentTesla
2b55f7e957049c9786d8e556542de0e61b069f24578a516884395b154c12d0b3
AgentTesla
42f53657f1fa3e1a832805479fb96f941870e7722c577f7a201a81543dddb878
AgentTesla
452ff2f3fce802f46e640f429d987538f9dcf631b9488ae7ebf484f2eb3dca0f
AgentTesla
56201f646915a1f24dbb151b653b770290ca145e163999bc39a874bb174ec33b
AgentTesla
5825bde73102349f8a9ba272fce964413be3563bb4c4ef17dff41c2fed460932
AgentTesla
bb9892ff838c2e6a7a2740122a6518b9d60da413638e7e102fa9729d1d9df7cb
AgentTesla
c107d4cc003e96086be97b02304631459e7b4ef3038fd6716ab583efe60dc964
AgentTesla
f1ff3671c84b073f77c786da2c09f4ad2de52cb37dc60806ce52254b3d6929c3
AgentTesla
ffe2f8fec7f9ba8ff7877c6913820df6048f6d3df97dedf8d81efc3a51baba87
AgentTesla
+ 523 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231101-qf3f1sgf6t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/8f7df71d-feb8-4bb7-a88a-449607220990/
SH256 hash:
e5a8b01f87ae90fd69b7c6b907adef21ab0441c846cca69c61dc41c312f5909b
MD5 hash:
50ed73afc5f3215857c4ca4c1bf300a1
SHA1 hash:
899a7fe5f4b3cacba76c018d04c5e7043f95d2ea
Link:
https://www.unpac.me/results/8f7df71d-feb8-4bb7-a88a-449607220990/
SH256 hash:
321b9837024c717dd5b2ad4217a7e2734e368bdb58918437baf42f46a34149b1
MD5 hash:
91412a60691a2512ab0becb2f7002a32
SHA1 hash:
70fe342dd601a4b6a3fb67202c9ea3b3fea31b5c
Link:
https://www.unpac.me/results/8f7df71d-feb8-4bb7-a88a-449607220990/
SH256 hash:
b2f1fc0bcc710a9e1c4ba1f02ab17c383b3bf4125930c65d88bb148188da3636
MD5 hash:
f96ee79bd6e3cedb65bc103089e68dd3
SHA1 hash:
3257b2110eaff8cd3317e2a9145e8e47c71d5151
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/8f7df71d-feb8-4bb7-a88a-449607220990/
Parent samples :
260530d11183d7baa980862009361f80e8bcd3b4539713ca4cc7d8106dc59420
495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208
SH256 hash:
495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208
MD5 hash:
d6a96992b306f31e83a8254d62b45fc4
SHA1 hash:
bae6f20a78a5a5ded24076703cb043b265447b74
Link:
https://www.unpac.me/results/8f7df71d-feb8-4bb7-a88a-449607220990/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/495c9826ec56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/457626/

Comments