MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd
SHA3-384 hash:	6a33ef6bdf1319f561ab20fa96f7c44b8193ea2b8289dcb9ff4ef8af95707ee2a6de77ed36c5357b2358f43dd22f700d
SHA1 hash:	fc27c35af8091f4e0ba6c9f5359b114237d8295c
MD5 hash:	14f782ec17cbdb9eda8350ca3c5dc7c4
humanhash:	lithium-foxtrot-johnny-emma
File name:	SecuriteInfo.com.Win32.PWSX-gen.19590.18724
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	961'536 bytes
First seen:	2023-10-15 20:32:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:voSZp5zjDAvD4h927tmecgGugHIMO7p0AJcba:voSf5WsqtmecWIAY
Threatray	481 similar samples on MalwareBazaar
TLSH	T1F1157D3D1CF952278165DBA6CFE9C473B008E46F31A2AE6594D253A68347E4339C723E
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.19590.18724

Verdict:

Malicious activity

Analysis date:

2023-10-15 20:32:35 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/fe7a89d3-3651-414a-88ee-04c3ea1d9068

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454614/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.19590.18724.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/652c4c7e853e4f06480bb60d/reports/3595d96a-1ee1-43f4-b459-be35ceeb8c9c/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5287987f-994d-4e79-9fcb-68e0324ad588

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1326012

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-10-15 18:24:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jhvq4hmhtktxaye6oyzl22came6ty2blgmgg46fw42n6uc2t7k6q._file

Verdict:

malicious

AgentTesla

4a793a9dfa5fac79c6e6b8f1d36e8719cc8f2849849259f364ee8e4af08d9613

AgentTesla

5485c351ca583b40b70345114311f9f514014c054b5317ef6c5744a3faed5233

AgentTesla

6ca768e186aca34cce8eb9a3283f2a17a28f9b81281d464a3c80561b4fbaf066

AgentTesla

7b6ac52d00554670afbdaef1d7b26316cf9f9d4c8d162dfb4b0256077e13b3be

AgentTesla

8a025851510b435a5fe39d69b7d18e1e02e86a5d0a04a60e1b4c53f9575f9d64

AgentTesla

c1cb5a4a27cf88c43845d65d73c7ca0706b00f8c999301061b745ce922c1bd12

AgentTesla

d8268bed755a9098351b3acfbfca2096882c89ae5517621d34580b4de8ee6120

AgentTesla

+ 471 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231015-zbt4hscb95/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

a040efb5ce92995b5d40fd2536c8ad6a93f2d8584a3dd52f07cdb0b34c9e6e29

MD5 hash:

a5a52675690de850e3de6c05a9bd885f

SHA1 hash:

fd953edf2e910fbb43c9e6d4c8d48632bb4e55c6

Link:

https://www.unpac.me/results/4d01dad1-20e9-431f-b0a6-4c6bea1887c3/

SH256 hash:

3903a3cfe99647e43524a0da63fde38334869d9a81fc3c99735f09990a74b6a0

MD5 hash:

564d3e806e7fa5abbc283d84eb204a16

SHA1 hash:

bf53970e32ba7fbc48177b8cef2acbe4ec7ccaa9

Link:

https://www.unpac.me/results/4d01dad1-20e9-431f-b0a6-4c6bea1887c3/

SH256 hash:

34114d1bf5e44c5793519538dfb4a1715d07e70de7a4208fb7d5c1465c9273c4

MD5 hash:

5477e3714c953df2bb3addf3bebbda9a

SHA1 hash:

70447696c55b0c6d2e8b66bc8e086c5dab44be5e

Detections:

AgentTesla

win_agent_tesla_g2

Link:

https://www.unpac.me/results/4d01dad1-20e9-431f-b0a6-4c6bea1887c3/

Parent samples :

49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd
5626197e7000d1dd2fa9153d149cff13dd55c866733bc8899a698bca3a5323bd

SH256 hash:

d511c0658340ec9d35d8f08fd22ae55c6aeebcb52dac453040817a6f9ffd7e43

MD5 hash:

3ac67cb9041168e636198401f53d857b

SHA1 hash:

6207398f41db994130c80150a0c2598045e68b45

Link:

https://www.unpac.me/results/4d01dad1-20e9-431f-b0a6-4c6bea1887c3/

SH256 hash:

49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd

MD5 hash:

14f782ec17cbdb9eda8350ca3c5dc7c4

SHA1 hash:

fc27c35af8091f4e0ba6c9f5359b114237d8295c

Link:

https://www.unpac.me/results/4d01dad1-20e9-431f-b0a6-4c6bea1887c3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49eb0e1d879aa770609e7632bd6840613d3c682b330c6e78b6e69bea0b53fabd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/454614/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample