MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a89533e44f0b0e7725108e365f96a39a2dfda65feda3c51ca26daf31da45a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	4a89533e44f0b0e7725108e365f96a39a2dfda65feda3c51ca26daf31da45a55
SHA3-384 hash:	16201937cd8ace68209ea7d89b8a9fe9c10cff063a64a3a00e4e0b76e07115ef37967f40cf349cb8d9bd783932406be4
SHA1 hash:	69d1f9ff93760ca17ff08b923aae3beedd8a4c7a
MD5 hash:	b06d001898c8ee6eeb915ae4e21f8ac8
humanhash:	fourteen-april-minnesota-kitten
File name:	SecuriteInfo.com.Trojan.PWS.Siggen3.25377.32135.28872
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	898'048 bytes
First seen:	2023-01-20 07:31:07 UTC
Last seen:	2023-01-29 16:17:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:SnTQguO4cQIWHUlMsyh8lLfnXW/pBVPNT8h813O64F7dnJV4ilzPt:OTaz0shcLfnXWZl5N27dz4OPt
Threatray	25'094 similar samples on MalwareBazaar
TLSH	T1A6156B516191C2D5ECB24E780678F92427959D5BA32D41BEBEC7343A88F378F84783A3
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PWS.Siggen3.25377.32135.28872

Verdict:

Malicious activity

Analysis date:

2023-01-20 07:32:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1682b600-4669-4b26-a8b1-ad519e82c9e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/354854/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.25377.32135.28872.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63ca4375696b2d972573d485/reports/d603a439-83d9-4c6c-827d-1afe076f8be3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db480d2f-0c8b-48f2-a51b-91cb88927011

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1155349

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a89533e44f0b0e7725108e365f96a39a2dfda65feda3c51ca26daf31da45a55/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-01-20 05:26:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jkevgpse6cyoo4srbdrwl6lkhgrn7wtf73ndyuoke3npghneljkq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871

AgentTesla

5f27f9b8bc5163d559f215ca5811ac487fae9b69aaf6f338648d9d3cd78ab305

AgentTesla

7d142fc404d92deb83891ca5dacffbc9e9754797ed55b1562873a7b4c2c914b7

AgentTesla

85d1bacd13251ae55d4de9a08e513b1d5e326ce59668502609b1d9391565a928

AgentTesla

a1b4b59ce0ed13e04420c13bfcb67c099ba6b60d1f7710d85fb4c8eb071bbc39

AgentTesla

a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8

AgentTesla

d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85

AgentTesla

d9d9e3cc542fd9391c9ae953b0071b0a4a450df7d6e3e5563df812b128ab2620

AgentTesla

+ 25'084 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230120-jczsdsab85/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

a3d77b1c221c420c55db7cf1832a650793e2bc0b824595669603c6b5b6a3f589

MD5 hash:

5624d4443ba51978c872c0308df9e29d

SHA1 hash:

fd4252c4566cf588aa933272d72270e908349edd

Link:

https://www.unpac.me/results/f5295ec0-f1fc-4f85-84d4-eb93e373a69d/

SH256 hash:

77e21b3083980e3fb833c13d5c1f4185116f3fefaece3851f94e02d355bcddf0

MD5 hash:

0eab1249d1c1ae095d5badff80b50dfc

SHA1 hash:

e036b2973a68157c24e8e2b130bfef025d26bd00

Link:

https://www.unpac.me/results/f5295ec0-f1fc-4f85-84d4-eb93e373a69d/

SH256 hash:

2ffa9ad3f98d108301a7fa0606e9d4860ade0f7d4c547de6282f4bd1f6e40217

MD5 hash:

41bef74de705e91ef6a5b66b929fa174

SHA1 hash:

b430f208a42533f8390f00c1dfe50d97c3913957

Link:

https://www.unpac.me/results/f5295ec0-f1fc-4f85-84d4-eb93e373a69d/

SH256 hash:

9f9515f38402ca828a2c83b2056dd99fa2a0e5eb3118e6171ca694bfbb0a27f5

MD5 hash:

90a4914115fe1d20d41e3dfc9455033d

SHA1 hash:

40b0b981fc7d61b1dd07e47373ac7134adb8ec65

Link:

https://www.unpac.me/results/f5295ec0-f1fc-4f85-84d4-eb93e373a69d/

SH256 hash:

757739990721ae75b7c63ef4c321863de6c3e5149467f097cd27699b2d99891b

MD5 hash:

24d8652cab672b700bbe07208e6cd548

SHA1 hash:

0b932ef5cc34ab318d682556d0209cf43f7a494a

Link:

https://www.unpac.me/results/f5295ec0-f1fc-4f85-84d4-eb93e373a69d/

SH256 hash:

4a89533e44f0b0e7725108e365f96a39a2dfda65feda3c51ca26daf31da45a55

MD5 hash:

b06d001898c8ee6eeb915ae4e21f8ac8

SHA1 hash:

69d1f9ff93760ca17ff08b923aae3beedd8a4c7a

Link:

https://www.unpac.me/results/f5295ec0-f1fc-4f85-84d4-eb93e373a69d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4a89533e44f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/4a89533e44f0b0e7725108e365f96a39a2dfda65feda3c51ca26daf31da45a55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/354854/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample