MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b2e08cf7fb9bceaf2721ef24c9ab795c984403c258af9df3914dee1f3225a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	49b2e08cf7fb9bceaf2721ef24c9ab795c984403c258af9df3914dee1f3225a0
SHA3-384 hash:	3f9a4add879c3796a1904375c8277c6437251dfa04e54311970bddeb43b9399a5765e9fbbddbe9a915f061b8aa128d25
SHA1 hash:	5b537332965f41f4d9abb0219699fd3b0072a303
MD5 hash:	0fc9600ee3eae56b0d81fb4560cb0146
humanhash:	solar-lima-comet-jersey
File name:	TpuLrsiSQ3light.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	556'544 bytes
First seen:	2023-08-22 12:13:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:F/d6aGTEgIWwwxNF47y3qNFPbkPMqD20ewIizq26j4CZMk6/:JGgfwxNi7qqPbkPMqD20X36j4C2kW
Threatray	71 similar samples on MalwareBazaar
TLSH	T11EC423B2B64BC54DE1F8C3B4910455E53FB5230628BFB0B90D7AC216B9387C674E8B66
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

TpuLrsiSQ3light.exe

Verdict:

Malicious activity

Analysis date:

2023-08-22 12:14:47 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/48a67d3b-8995-463a-9ede-3769296ae718

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/444152/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.27646.16639.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Reading critical registry keys

Creating a window

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/49b2e08cf7fb9bceaf2721ef24c9ab795c984403c258af9df3914dee1f3225a0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b1dd757-c49b-49b9-bd09-46d82c99f751

Result

Threat name:

AgentTesla, DotRunpeX

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1295139

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DotRunpeX

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49b2e08cf7fb9bceaf2721ef24c9ab795c984403c258af9df3914dee1f3225a0/

Threat name:

ByteCode-MSIL.Trojan.Barys

Status:

Malicious

First seen:

2023-08-22 10:04:51 UTC

File Type:

PE+ (.Net Exe)

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jgzobdhx7on45lzhehxsjsnlpfojqradyjmk7hptsfg64hzsewqa._file

Verdict:

malicious

AgentTesla

3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d

AgentTesla

4d9e0a28423515a1574837873cc75c3c495daebf2247e5353f9028d97ccf3fb6

AgentTesla

576ef869c72f3afe6f4f5101f27aeb0d479cae8e5d348eea4e43e8af8252dfd0

AgentTesla

670bc9a86f72af2ab43a89c576a4e1874ce188b35a1f5656ea27f4b7ac3d5f09

AgentTesla

71b83a4a645cee8038819ee490a2b6324d287d8aac405adb1b373277dc5c23ab

AgentTesla

b6b11f3f8bfb25580a473ebc62529276c47a05e43c3fc70845df1d8c1c515262

AgentTesla

e43e5c816ce04f8fa14c819ff2b5bfc02c03e27a4b0a6b85875ef11ea4d4489f

AgentTesla

e9b89c91baf30931ff00e18e04d957edc7735cbc9e44eec035e8f395f6c4b6dd

AgentTesla

f19f1debabf340338607f916a64a783e14afc6d3ee4a5ab390a00dc3f33f30d2

AgentTesla

+ 61 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230822-pew26sdf21/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

49b2e08cf7fb9bceaf2721ef24c9ab795c984403c258af9df3914dee1f3225a0

MD5 hash:

0fc9600ee3eae56b0d81fb4560cb0146

SHA1 hash:

5b537332965f41f4d9abb0219699fd3b0072a303

Link:

https://www.unpac.me/results/af468cd3-c5ea-4f5b-b879-81aab4503f0f/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49b2e08cf7fb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.79

Link:

https://yomi.yoroi.company/submissions/49b2e08cf7fb9bceaf2721ef24c9ab795c984403c258af9df3914dee1f3225a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/444152/

URLhaus

https://urlhaus.abuse.ch/url/2706170/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample