MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
SHA3-384 hash: b9c448f4d59d7142c353585240034d7e2b66610d977d46ac474debf00e46770f5837992c80bd25f0ed627a1701e7143a
SHA1 hash: 404038a796396209580a64a537b57695bbd9b175
MD5 hash: 2a163403e00ba8afbe3c7a2e6df3e2e2
humanhash: lactose-rugby-emma-michigan
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:404'200 bytes
First seen:2022-11-24 16:31:12 UTC
Last seen:2022-11-24 18:28:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn12ZAxOykmTM3B8+EszGP2Raz6MlQBvN5JpENjKi7E1HyQlBZIs7Y8X8lkP:g2EcmfDsw2AH+7QYj1HyQJ37Ymj
Threatray 20'624 similar samples on MalwareBazaar
TLSH T15E8423D9AEF998E7C8934DB4BAF74615DAF7E1201818660B43E44B7B2338583E41F760
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter jstrosch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
wshrat
Create hunting rule
ID:
1
File name:
UAB VISI ATSAKYMAI30000290161120220112162613..js
Verdict:
Malicious activity
Analysis date:
2022-11-24 09:47:46 UTC
Tags:
trojan wshrat loader agenttesla
Link:
https://app.any.run/tasks/9644402d-a8db-403f-b478-4e6f499713e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338133/
Detection(s):
SecuriteInfo.com.FileRepMalware.2622.5267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Setting a keyboard event handler
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637f9c8400c584752ee1bbec/reports/b0d46d2d-5659-4889-8d95-15b2b43a564e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1790b333-8010-4749-ac1d-beeb186c2561
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120658
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 16:32:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkf3uulm2fyzexhtnfu3t2ecyebj3p4iha2gh6pwiykf6vh4gxxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
038e75fa865a3c80bb63a5fd0ddaf57b882d4c4e6ef96cb10b58113234747663
AgentTesla
458875e02d96fcc736bd56465bc36cc480dc57698db5396d091bd82a6070758d
AgentTesla
58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb
AgentTesla
5c9c51f336a4f92821219c73a99bd5c7e4bc749967e95745b12af9c25285b314
AgentTesla
77e60f86df5027b5cddd14fb1e0acc3e9a2c5456efeea831118d36180358c591
AgentTesla
a148f6912ad65a00621fd10bf86af7d79ea6c91d9e653649955956a7a23e3f2a
AgentTesla
f0464f5e9669b4112215874eb7df62b915fe83a00e5365da6d8ecf7be9981388
AgentTesla
+ 20'614 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221124-t1ykcafd38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5655543251:AAF6zs8TWZ5wmyQhXrUZEpQjh6VaOy-aYoQ/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cc0ee31c-929e-4509-b184-6a25c4ba778a
Unpacked files
SH256 hash:
d5453dc3f4de3deee58d7e0e294e042b87458b4388658dff9db823d99dfbd2af
MD5 hash:
a014336b994f61bd9b5a8bc1c80e5916
SHA1 hash:
56e29cf0d4d52d5383a5eec867abcf4016aa9d11
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/5071ee75-a918-48dc-9b76-2c823d5186a5/
Parent samples :
4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
a7688edb40ec7fb6cce0ff2d8859626b8cabc668578c1c69795e68eed32c94ff
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06
SH256 hash:
6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
MD5 hash:
8a73408537089a2c75b20e5777a45a3c
SHA1 hash:
6743c59431668ff81f1c09e2c2820417dea10324
Link:
https://www.unpac.me/results/5071ee75-a918-48dc-9b76-2c823d5186a5/
SH256 hash:
4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
MD5 hash:
2a163403e00ba8afbe3c7a2e6df3e2e2
SHA1 hash:
404038a796396209580a64a537b57695bbd9b175
Link:
https://www.unpac.me/results/5071ee75-a918-48dc-9b76-2c823d5186a5/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a8bba516cd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2432074/
Cape
Cape
https://www.capesandbox.com/analysis/338133/

Comments