MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a41861a81e4b094f22b2660ed6d0717892209452061d6c21668051651fe1763. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a41861a81e4b094f22b2660ed6d0717892209452061d6c21668051651fe1763
SHA3-384 hash: 1ff5124c91bfd5ceb5fdb116db0fe1976377f4ffaf8b0b84879bc7d043cf5c56b12c66961774a7864f13f9202c804214
SHA1 hash: eea9a8edf8e704c1fa1c7d1da8f63cabe5623961
MD5 hash: dad996ac644cafb4c238bbd162945114
humanhash: summer-avocado-potato-queen
File name:TT PAYMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:49'664 bytes
First seen:2023-01-26 14:29:16 UTC
Last seen:2023-01-31 14:02:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:bBiaJBr3lg8aZubP7FMI544rr9OqkJ7aKSEqGtkuODgkATIv:bBxBr3lg8aZub9V2J7aKSN6QrA+
Threatray 1'006 similar samples on MalwareBazaar
TLSH T130235C89179F4327D3DE1F7CBC72064D5BB0A167F832E79969DCA0E41A227A106143AB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT PAYMENT.exe
Verdict:
No threats detected
Analysis date:
2023-01-26 14:32:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10349c26-5eb4-4a14-8b6b-ac835c6f4654

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357149/
Detection(s):
Sanesecurity.Rogue.0hr.20230126-0933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
DNS request
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe
Link:
https://www.filescan.io/uploads/63d28e6c2b351a3d0ea91835/reports/79f093b5-a36b-4a7b-806d-f05bd1495494/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e54b1501-144b-4e4d-8dcd-eac31481c8ce
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159607
Signature
.NET source code references suspicious native API functions
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a41861a81e4b094f22b2660ed6d0717892209452061d6c21668051651fe1763/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-26 14:29:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
7 of 25 (28.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjaymgub4syjj4rlezqo23ihc6eseckfebq5nqqwnacrmup6c5rq._file
Verdict:
malicious
Similar samples:
132a12a98cc3cc5857d24ddb35c499ec344d2482a8ca101df1630b9be37b11d1
AgentTesla
1a11ad60cbd959d8f5a512d03f5b7382c794735546cad9463f191393f7a2a912
AgentTesla
4c3af793b926ac4a4dfb0de4b54555730bf89dcaba5b2d6c25f6c9a4eefc0be6
AgentTesla
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
AgentTesla
7f03e073aed2a3458a76cf000cd58342e34ddd785cdb5947321d904dfb2d4dfa
AgentTesla
a7555fbbb59c9e063dfa6b392af01c02f1d23679e53882fc1cb6d3a432330c50
AgentTesla
b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4
AgentTesla
bf9cbad13935f939f44add9a131188c73e3dda014e039debc553ebacab228d83
AgentTesla
ce5611605035936355aeb920edf5a831f970de2c0904bd753025858e338410e1
AgentTesla
+ 996 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230126-rt5zqsfd3z/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
4a41861a81e4b094f22b2660ed6d0717892209452061d6c21668051651fe1763
MD5 hash:
dad996ac644cafb4c238bbd162945114
SHA1 hash:
eea9a8edf8e704c1fa1c7d1da8f63cabe5623961
Link:
https://www.unpac.me/results/d660afbc-dc9f-4272-a5d8-d07172ba6d50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4a41861a81e4b094f22b2660ed6d0717892209452061d6c21668051651fe1763

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1f7f3516ac69a8fd3be07d3c7a1cc23effb7b112c4acdadc9d4cb5621023b13f

AgentTesla

Executable exe 4a41861a81e4b094f22b2660ed6d0717892209452061d6c21668051651fe1763

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/357149/
  
Dropped by
SHA256 1f7f3516ac69a8fd3be07d3c7a1cc23effb7b112c4acdadc9d4cb5621023b13f
  
Dropped by
MD5 e4c65d059ddddfbcc88275dd4064205b
  
Dropped by
SHA256 5fc109bf3eb68110474d8469ffe5a953f129b0f9f8239424596b71d36be0028b
  
Dropped by
MD5 84159f78b43725125308a006a61e2bc0
  
Dropped by
SHA256 36c481e028948d2d6798610aefe9dc54d99652263e2c58d2f872393e2ed86465
  
Dropped by
MD5 0b72d76e6e5a292857072b4f8fe80f3e

Comments