MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a4da69215b399bdf428b5ca73d7f26e91042dd43011ff6e8c712ecf0b7c6154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a4da69215b399bdf428b5ca73d7f26e91042dd43011ff6e8c712ecf0b7c6154
SHA3-384 hash: 601ddca8e75a90344433561d54f1a8413957cd67b4e11624a913ee0e85f8d87b1493f6876c8ff0bf9302d14ebedff5ac
SHA1 hash: 03a95114130024de5ff8063745e2f18768268920
MD5 hash: 11e32bb42c0cf93e9d9cf69a4092c2c9
humanhash: pluto-nine-tennis-hot
File name:HSBC Payment Advice_PDF.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'117'262 bytes
First seen:2021-10-06 08:54:38 UTC
Last seen:2021-10-06 11:28:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:eAOcZw6Aom87CkfbAAknlPwvM7BZ7cGTq6ai0bagi7vJH:kWAgzUlovmZwGTq6d4a55
Threatray 976 similar samples on MalwareBazaar
TLSH T1F435E0E1B780C471D8635A39983ADB676833B51C9D284A1D3BD1BF1F7D323425027AAB
File icon (PE):PE icon
dhash icon 6ccccc8ca4c2f2b2 (2 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe HSBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195367/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed packed
Link:
https://www.filescan.io/uploads/615d646db95458900cdd052c/reports/5e822156-1532-48fc-8eda-23e4a429d2d8/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6800be43-92d7-42b2-ab53-05230d28f6c7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865468
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious MSHTA Process Patterns
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497895 Sample: HSBC Payment  Advice_PDF.scr Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 6 other signatures 2->44 7 HSBC Payment  Advice_PDF.exe 30 2->7         started        10 TmZaMAa.exe 2->10         started        12 TmZaMAa.exe 2->12         started        process3 file4 34 C:\Users\user\AppData\...\sfikpaob.pif, PE32 7->34 dropped 14 sfikpaob.pif 3 7->14         started        18 conhost.exe 10->18         started        20 conhost.exe 12->20         started        process5 file6 36 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 14->36 dropped 52 Multi AV Scanner detection for dropped file 14->52 54 Writes to foreign memory regions 14->54 56 Allocates memory in foreign processes 14->56 58 Injects a PE file into a foreign processes 14->58 22 RegSvcs.exe 2 4 14->22         started        26 mshta.exe 14->26         started        28 mshta.exe 14->28         started        30 5 other processes 14->30 signatures7 process8 file9 32 C:\Users\user\AppData\Roaming\...\TmZaMAa.exe, PE32 22->32 dropped 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->50 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a4da69215b399bdf428b5ca73d7f26e91042dd43011ff6e8c712ecf0b7c6154/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 08:55:08 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjg2neqvwom335biwxfhhv7sn2iqilougai763umoexm6c34mfka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
022a59ed972a0a93af024278929ae49d28e59382e620c283dd3b701f24a218d4
AgentTesla
03c6ec94511f79ea5315870ca752e55f074581382a9e33ea403281e3bec95968
AgentTesla
0ce9dd105728a0d9dff59c549aabe49d4b9eeaa92f81f84ba82119b00962eb05
AgentTesla
20abcc84d40d1b7314e3f293c510ee4f5199d43db15074aa79705c98bacf5ff5
AgentTesla
6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb
AgentTesla
831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7
AgentTesla
bbc2d59fe5903a0015ed42005006300c92cbc16456ecb7204c59c11b56307f83
AgentTesla
bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
AgentTesla
c8a4462c6b8f5d8728d5374adc98def5a5c38dd97d70a1c3859c876bfbe3fbd0
AgentTesla
ebbc6f882c469db06196cbeea3ef7b62899229ef1f89234ef3ace2f83ce2b557
AgentTesla
+ 966 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211006-kvgvzaaha5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ffe40031dec092e6fc9fb5fd6724fea617cc895926af5dea5c7e7d1ca6847b54
MD5 hash:
25c25298f455f2eeeafea6c2ca317424
SHA1 hash:
0e3da1b55756fc8497f34638d327414f41b7f741
Link:
https://www.unpac.me/results/15f6a7f2-cdab-4885-893f-73c8be5fa9d4/
SH256 hash:
4a4da69215b399bdf428b5ca73d7f26e91042dd43011ff6e8c712ecf0b7c6154
MD5 hash:
11e32bb42c0cf93e9d9cf69a4092c2c9
SHA1 hash:
03a95114130024de5ff8063745e2f18768268920
Link:
https://www.unpac.me/results/15f6a7f2-cdab-4885-893f-73c8be5fa9d4/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4a4da69215b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a4da69215b399bdf428b5ca73d7f26e91042dd43011ff6e8c712ecf0b7c6154

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4a4da69215b399bdf428b5ca73d7f26e91042dd43011ff6e8c712ecf0b7c6154

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195367/

Comments