MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4978dbd8c40bff5c01fa888ff9523adb19b70efeabf9f1453ba293d2a5afdce7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4978dbd8c40bff5c01fa888ff9523adb19b70efeabf9f1453ba293d2a5afdce7
SHA3-384 hash: ac14d731abf53b2ae6ae1d29021ffd450a3c65d56148a04601adc861e6e76a70c9c8b3f9d97f11af584d65fab3d80e62
SHA1 hash: 22aecc96b7cf83b2d8585b24dcd77d2c2fccdf14
MD5 hash: 51c58dfea1c73629e07af8bdc813c9b9
humanhash: hot-queen-red-utah
File name:51c58dfea1c73629e07af8bdc813c9b9.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:912'384 bytes
First seen:2023-03-17 09:21:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:kNJO8lpXU5ZkXQ54KTm5E29OiQAvVzKlJhZSRrq2V5IbIZkrD38VLwbQji17B:kU54aAO/AtzSSRrq2ValSuj/
Threatray 80 similar samples on MalwareBazaar
TLSH T104159E4483444F2CF6E0267D30683EC62F9158CCE9AEBBEF99A7D879B5E845517C6C02
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70f0e6d4cca8f070 (15 x AgentTesla, 6 x SnakeKeylogger, 5 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51c58dfea1c73629e07af8bdc813c9b9.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 09:27:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a6f2bf7-86f4-4357-828d-113a01165fff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375025/
Detection(s):
Sanesecurity.Malware.29035.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64143141e6d26a096f56f397/reports/f8a660dc-ce7d-4eaf-853c-accfb3047358/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4978dbd8c40bff5c01fa888ff9523adb19b70efeabf9f1453ba293d2a5afdce7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05460416-3158-4a94-ae73-a57fc300e92c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1196362
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829260 Sample: V9hBN9tW4H.exe Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 Machine Learning detection for sample 2->57 6 V9hBN9tW4H.exe 3 2->6         started        10 BKEDEaL.exe 3 2->10         started        12 BKEDEaL.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...\V9hBN9tW4H.exe.log, CSV 6->25 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->59 61 May check the online IP address of the machine 6->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->63 65 Injects a PE file into a foreign processes 6->65 14 V9hBN9tW4H.exe 17 10 6->14         started        67 Multi AV Scanner detection for dropped file 10->67 69 Machine Learning detection for dropped file 10->69 19 BKEDEaL.exe 14 7 10->19         started        21 BKEDEaL.exe 10->21         started        23 BKEDEaL.exe 12->23         started        signatures5 process6 dnsIp7 31 api4.ipify.org 64.185.227.155, 443, 49691 WEBNXUS United States 14->31 33 mail.spjsv.ro 89.43.174.45, 26, 49697, 49700 CHROOTBucharestROMANIAEURO Romania 14->33 41 2 other IPs or domains 14->41 27 C:\Users\user\AppData\Roaming\...\BKEDEaL.exe, PE32 14->27 dropped 29 C:\Users\user\...\BKEDEaL.exe:Zone.Identifier, ASCII 14->29 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 35 173.231.16.76, 443, 49701, 49702 WEBNXUS United States 19->35 37 api.ipify.org 19->37 39 api.ipify.org 23->39 49 Tries to harvest and steal browser information (history, passwords, etc) 23->49 51 Installs a global keyboard hook 23->51 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4978dbd8c40bff5c01fa888ff9523adb19b70efeabf9f1453ba293d2a5afdce7/
Threat name:
ByteCode-MSIL.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 15:58:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jf4nxwgebp7vyap2rch7sur23mm3odx6vp47crj3ukj5fjnp3ttq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0569738ce15eac35fb934871ffc136a1a73800be88e9c13d96c4bb05b863ee93
AgentTesla
088c2f0914786aef4076d2c680c5d0c817696ada1f2f5a31b9e8250680f796bd
AgentTesla
11448a58a01b27a0f74213c3c46c751abf0847cdc6bd22e8c59ac880605eb057
AgentTesla
278e5ea9416fabd8821c86c7b242b9ced4a5345b79852177e2895acd5b560257
AgentTesla
34295d7afd974fbf4786c737e60c28c8c1b8f2376465623e9ef49b7cedb26e71
AgentTesla
4e872ac4afe3e4abf1ad67441634b9102df1820ef0eac83282302f4c75930863
AgentTesla
81d7db908cad5ee4ce1d33b94e0ab8f65025a7ba741d6171b41f4026c226970b
AgentTesla
8b18ae1d0cdc76bff21cb3a55e0e0a9280bd0979bcc049426381f71b2e06d924
AgentTesla
ac54d1fe3d0ff07a8342588336d7e9215cc7feb617a4abdc6afe56365938b998
AgentTesla
c812d336befc1fa3ce6175f3ea6efeba20f82a07b1765c7bbec0c60c92e7812a
AgentTesla
+ 70 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230317-lbxbzshd6x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Unpacked files
SH256 hash:
b8877238b6459130d57677dcc70e394950469c7090b2e70973184d7696ee3a32
MD5 hash:
6ba7a5936360514981731ebd2d845c46
SHA1 hash:
bbe1c9f1489ebd1344a066a8f9939b2b67792186
Link:
https://www.unpac.me/results/1cb81eb9-ad47-456b-9c47-0ddf06036a48/
SH256 hash:
177bed6c3447677918e121ec64ceb9476aebc7b877754c2995124e76eceff82f
MD5 hash:
4892f9719603ddbcdf532d3c4730a2f4
SHA1 hash:
a95f86f040d2c9987a3b6f05a0b930f3a32ed75d
Link:
https://www.unpac.me/results/1cb81eb9-ad47-456b-9c47-0ddf06036a48/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/1cb81eb9-ad47-456b-9c47-0ddf06036a48/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
985823005bc61ea5ace1c088e71f74b287b334036904e86f76a633fd09db848c
MD5 hash:
760c4ae78298ace8ac35433154702fac
SHA1 hash:
7eb1db074ad4cbca32980d0a7a6aca9988a6be20
Link:
https://www.unpac.me/results/1cb81eb9-ad47-456b-9c47-0ddf06036a48/
SH256 hash:
c028aaa4467a8f523ab3727dc87f5619435c7d858b7854a60c7d56ebae2d984e
MD5 hash:
bfa3206e3afeb6f3b619d0562aa17d5f
SHA1 hash:
786dde5d34147fd2299147abb5559a930dc6a13e
Link:
https://www.unpac.me/results/1cb81eb9-ad47-456b-9c47-0ddf06036a48/
SH256 hash:
4978dbd8c40bff5c01fa888ff9523adb19b70efeabf9f1453ba293d2a5afdce7
MD5 hash:
51c58dfea1c73629e07af8bdc813c9b9
SHA1 hash:
22aecc96b7cf83b2d8585b24dcd77d2c2fccdf14
Link:
https://www.unpac.me/results/1cb81eb9-ad47-456b-9c47-0ddf06036a48/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4978dbd8c40b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4978dbd8c40bff5c01fa888ff9523adb19b70efeabf9f1453ba293d2a5afdce7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4978dbd8c40bff5c01fa888ff9523adb19b70efeabf9f1453ba293d2a5afdce7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2346138/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375025/

Comments