MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a95460119edb2d3b8bad5a9ea1a2580f296e01f17abcabcd35fd84f3e492bf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a95460119edb2d3b8bad5a9ea1a2580f296e01f17abcabcd35fd84f3e492bf3
SHA3-384 hash: 50085b97ed1872f760d8596129aa7511bd6513f352b174d918c8e4043cc0b9ef73f33da9025641284a0b24e83e0b5db5
SHA1 hash: 3bce0b1908a2a2ab5c69fc53ffc20c66cb692d69
MD5 hash: 861a72fb1fb81a1889e61cd9ac2e0001
humanhash: august-comet-fruit-purple
File name:861a72fb1fb81a1889e61cd9ac2e0001.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:31'744 bytes
First seen:2021-09-27 17:43:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:sbHYLP96wkZmjzYnP7RhRvxKq2Y1rqLu:sbHokZKEFXvxKqHsS
Threatray 10'319 similar samples on MalwareBazaar
TLSH T1BEE23AC2E3C595A4FCAB1A311437AE400F26FF25BDD52A5439D4761B4EB328196B331B
File icon (PE):PE icon
dhash icon e0e4a2aaa4b8a888 (10 x DarkWatchman, 5 x SnakeKeylogger, 5 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D.I. Pipes Fittings.doc
Verdict:
Malicious activity
Analysis date:
2021-09-27 13:57:13 UTC
Tags:
exploit CVE-2017-11882
Link:
https://app.any.run/tasks/52ba1f16-595e-45bb-be36-fcf059443f73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192237/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Swisyn.kZb9.2416.14804.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ddf9304-56f7-45b1-8ac0-84b6acff6220
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/859256
Signature
.NET source code contains potential unpacker
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491686 Sample: xWKIUfcQRv.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 68 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 .NET source code contains potential unpacker 2->41 7 xWKIUfcQRv.exe 15 4 2->7         started        process3 dnsIp4 27 store2.gofile.io 31.14.69.10, 443, 49797 LINKER-ASFR Virgin Islands (BRITISH) 7->27 10 powershell.exe 68 7->10         started        13 powershell.exe 7->13         started        15 powershell.exe 7->15         started        17 2 other processes 7->17 process5 dnsIp6 29 facebook.com 157.240.17.35 FACEBOOKUS United States 10->29 19 conhost.exe 10->19         started        31 twitter.com 104.244.42.1 TWITTERUS United States 13->31 21 conhost.exe 13->21         started        33 google.com 172.217.168.46 GOOGLEUS United States 15->33 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a95460119edb2d3b8bad5a9ea1a2580f296e01f17abcabcd35fd84f3e492bf3/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 08:40:03 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f6e76fa6ad6076eb9861274818d29964a0e1f5d9290f79d814a154a8b753d16
AgentTesla
27ffeae59c94c45ba5f1ec1422eb5cdcc2743891bc88bbcbfb2c9326216394c9
AgentTesla
2b9e8dc39755d37c2a78fd00f6fa57414205648e65ae6a6c76c102c7d78e2e86
AgentTesla
542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def
AgentTesla
58693daab97634f8e662c1efb84454d9939b5e29979860a781a614f56462593b
AgentTesla
7e51a77e743f6628014b844006256da1d6a7e9685aa41cf6b1721a96374582df
AgentTesla
822698a4aff7b2404e000e0dc20c158a9e5ddf5fd23e6231aaef80c21f802c89
AgentTesla
84ca69c5b4aafce43efece75b3074198ff53178ad89e3044dd74a5c85bc72258
AgentTesla
cb7316ea8d004dc3665c2668d2a9338bd163a41f75b2a925f6af5e853c09282d
AgentTesla
fab587d66022bb63c3c252b36b6ab6a8aff3d2673d1eaa7bfe03d146eb4d9450
AgentTesla
+ 10'309 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210927-wa65xahfcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2040855357:AAEEA7i5akx81-tPd6D9BhA9wQ2kKvLyMv8/sendDocument
Unpacked files
SH256 hash:
4a95460119edb2d3b8bad5a9ea1a2580f296e01f17abcabcd35fd84f3e492bf3
MD5 hash:
861a72fb1fb81a1889e61cd9ac2e0001
SHA1 hash:
3bce0b1908a2a2ab5c69fc53ffc20c66cb692d69
Link:
https://www.unpac.me/results/9891368f-15cf-4d0b-bbda-0493f8f86008/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4a95460119ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a95460119edb2d3b8bad5a9ea1a2580f296e01f17abcabcd35fd84f3e492bf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4a95460119edb2d3b8bad5a9ea1a2580f296e01f17abcabcd35fd84f3e492bf3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1645537/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192237/

Comments