MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175
SHA3-384 hash: 4ff6e508c357453c745e4518fa86826930feb54c84d1eb052021854672e4c28c2a8b43db6f58d6ad90af8b5ab196e987
SHA1 hash: 39616c76a50eb3709cf91101c48767811c0ee08d
MD5 hash: 5dad0fc9599af31e8171984e514fd76c
humanhash: jupiter-west-friend-black
File name:TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'147'328 bytes
First seen:2024-08-26 07:53:05 UTC
Last seen:2024-08-26 11:17:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a6d80c5b45dc9232fe72a993ca3e0d3 (2 x Formbook, 1 x AgentTesla, 1 x SnakeKeylogger)
ssdeep 49152:25Dg3sJDRZo8DYpK/2sFq6r5o9q5vlCZT1PkJ58xH0v5pp:5hzK5
Threatray 3'950 similar samples on MalwareBazaar
TLSH T1B1A5BE14E3A801B8D837DB34CA659333D67178565730E58F0A89D6452F33EA2ABBF712
TrID 47.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
35.2% (.EXE) InstallShield setup (43053/19/16)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 4f89090c0c098d4f (21 x AgentTesla, 8 x MassLogger, 1 x VIPKeylogger)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
475
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe
Verdict:
Malicious activity
Analysis date:
2024-08-26 07:54:26 UTC
Tags:
smtp stealer exfiltration agenttesla
Link:
https://app.any.run/tasks/499b88a9-7468-44f2-b78c-94067442cedc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.24864.14248.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cc349cb2a4681a72969f00
Tags:
Execution Infostealer Network Static Stealth Gensteal
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e5833f15-76ce-414c-b447-3dc0a34a9cb1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1498908
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498908 Sample: TEKL#U0130F TALEP VE F#U013... Startdate: 26/08/2024 Architecture: WINDOWS Score: 100 37 cp8nl.hyperhost.ua 2->37 39 fp2e7a.wpc.phicdn.net 2->39 41 2 other IPs or domains 2->41 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 5 other signatures 2->61 7 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe 1 2 2->7         started        11 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe 1 2->11         started        13 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe 1 2->13         started        signatures3 process4 file5 35 TEKL#U0130F TALEP ...130F#U0130_xlxs.exe, PE32+ 7->35 dropped 63 Creates autostart registry keys with suspicious names 7->63 65 Writes to foreign memory regions 7->65 67 Allocates memory in foreign processes 7->67 15 AddInProcess32.exe 2 7->15         started        19 conhost.exe 7->19         started        21 CasPol.exe 7->21         started        69 Injects a PE file into a foreign processes 11->69 23 InstallUtil.exe 2 11->23         started        25 conhost.exe 11->25         started        27 jsc.exe 11->27         started        29 MSBuild.exe 11->29         started        31 InstallUtil.exe 2 13->31         started        33 conhost.exe 13->33         started        signatures6 process7 dnsIp8 43 cp8nl.hyperhost.ua 185.174.175.187, 49730, 49731, 49734 ITLDC-NLUA Ukraine 15->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->45 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->47 49 Tries to steal Mail credentials (via file / registry access) 23->49 51 Tries to harvest and steal ftp login credentials 23->51 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-08-26 05:54:52 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jginjrlaazskiopat2pouqlo5zi5aijijpepxiagvi56xp5rcf2q._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5
AgentTesla
1615d4396467f0c5db3061b4b438a518da24667e8117fb65d917ae6048bbfa31
AgentTesla
1bf711744adbf1b2de0f3fb5d8abb2966018b61fa5b248de1ba6aaaac8bb681a
AgentTesla
2a34fdbd85ede8fa71f6c5133c3b38ce86334a0ec30cec9081b7b5d33cb6edf3
AgentTesla
5f14a244f730788efe3dc87a9b3d73955ca9e76862c822d6cd3707804a4308a3
AgentTesla
945a58904c4e277f5e24b02038a8ead79d51e25ce43aff2c1206f22cacce9bf2
AgentTesla
+ 3'940 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240826-jrjdysvbql/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6224973d-596e-4e35-9faf-41f5812b4d51
Unpacked files
SH256 hash:
4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175
MD5 hash:
5dad0fc9599af31e8171984e514fd76c
SHA1 hash:
39616c76a50eb3709cf91101c48767811c0ee08d
Link:
https://www.unpac.me/results/29328568-0a73-47f1-b882-1814f80027dd/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4990d4c56006/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4990d4c5600664a439e09e9eea416eee51d021284bc8fba006aa3bebbfb11175

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolIo
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments