MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0
SHA3-384 hash: 11c6575a21d3f7b8986c30b0d378d286c4e45bbbf478ecf80befba0d625578dcdfb6e5687b225668780d5481f8f4b2da
SHA1 hash: 4dd8588e204f8645afc005cc7deb8572df5f9103
MD5 hash: 7f9f5628b1698378cecaff303fb4cf2d
humanhash: lithium-fifteen-snake-robert
File name:02161699.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:702'976 bytes
First seen:2023-05-30 07:48:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:asIdul2iNfmFx2iqNhujGjUBnWjmKL6qB8J4MYUZeB818A5m7g14SK9Yrqzotwff:asIdul1lmFxUKncO5xnA3A5m7KBjrqm+
Threatray 4'399 similar samples on MalwareBazaar
TLSH T115E4021823FD47AAD6B727B657A14635437BBDAA7771D30B0E83B1CA1D61B004A10B73
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Neiki
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
02161699.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 07:55:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ca7b997-de30-471e-8400-9f28cab5eac6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393380/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6475aa6fe464780675a786bf/reports/4bf07ae0-8bf8-42f7-a6ac-5fede3953983/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d6d93e2-e40a-4337-9a0e-0ba289f9685d
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244975
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877981 Sample: 02161699.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 6 02161699.exe 3 2->6         started        10 MmRKwR.exe 3 2->10         started        12 MmRKwR.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\02161699.exe.log, ASCII 6->23 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 14 02161699.exe 2 5 6->14         started        53 Multi AV Scanner detection for dropped file 10->53 55 Machine Learning detection for dropped file 10->55 19 MmRKwR.exe 2 10->19         started        21 MmRKwR.exe 2 12->21         started        signatures5 process6 dnsIp7 29 us2.smtp.mailhostbox.com 208.91.199.225, 49692, 49697, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 25 C:\Users\user\AppData\Roaming\...\MmRKwR.exe, PE32 14->25 dropped 27 C:\Users\user\...\MmRKwR.exe:Zone.Identifier, ASCII 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file / registry access) 14->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->39 31 208.91.199.224, 49693, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->31 33 192.168.2.1 unknown unknown 19->33 41 Tries to harvest and steal browser information (history, passwords, etc) 21->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 16:18:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 37 (59.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jk4jwms6hjqcic4ws3rgibwtdnodfdk4nbdvsarktqksgecpywqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1af9751a544e54a90c1b18ce2fb731d3f9b2e53e7143f9904622706109949abf
AgentTesla
38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c
AgentTesla
3c1afe298565b77c5c91c36fc8758fc967e90d849f20f9d4daa68c082a8a1206
AgentTesla
60a107b83a792df4cafbe67547cf3663ee3e2277572f8778bb78bd226d9188d8
AgentTesla
6ff0433a9bb7d6a3a7dd345dbf1c12850ec13d3e72898815ed595c9605752dbe
AgentTesla
8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c
AgentTesla
8921ed257002d7a54fe4e22f1192cfc11a0d1f15270619361aefa96164a992eb
AgentTesla
a62d9307bbcf6c6a1da2a346c9c53a1354d6678d960d2641469ddf2e8fe3c758
AgentTesla
d63f3bfd1d9356906b66380f6a1b6153ba5d8e950b3b24bddaf47b01294186a8
AgentTesla
e037d9d7acd5564e330b8398de2958a117feb43520454f1f8838983ae829428c
AgentTesla
+ 4'389 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230530-jnp3bsge7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
69fcd9cf716adbac468c07c3d4ccfb6bff53d11852bb73d400a9f307b999b953
MD5 hash:
7c465b8f69b60d827309c853760d1d37
SHA1 hash:
bb7771ade6821da88f7c88a2ac167cc21fee0fb4
Link:
https://www.unpac.me/results/1761eb44-d7c2-41c2-bf56-197a59ef7378/
SH256 hash:
1e549cfdf127402804e41e53ed40200876598aa167ef3f586d996c9a7982fc52
MD5 hash:
0fc8ebb6535797c45348ede4da50f5c6
SHA1 hash:
b14b20d9e69d962627addf30a9ed8205f35603aa
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/1761eb44-d7c2-41c2-bf56-197a59ef7378/
Parent samples :
4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0
47560478ac10be3464c9193150527e27af88e214e2c8acace019e7fe32df5197
1cd1f5ab76966f57655f53e59b4d210ece1338051884e1fbe167e99020fc7ce4
c073d55e30e424b99d07e376c38ca35b579dbd327da6be96cec527b0e3132ccd
10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720
c569fe7d3ccb9bf36356f829d5ab7de3ba4261d3beaffef1e690d8d197919c71
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/1761eb44-d7c2-41c2-bf56-197a59ef7378/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
6719047850b34e22eed9510770370376d2fbbbf9b7fcd72304913191d2bd902d
MD5 hash:
4c12875c11edbe8ce1a8bf5133f905fa
SHA1 hash:
96c0252fbfd6d4b9f19284fcbd6cf69071663c7b
Link:
https://www.unpac.me/results/1761eb44-d7c2-41c2-bf56-197a59ef7378/
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/1761eb44-d7c2-41c2-bf56-197a59ef7378/
SH256 hash:
4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0
MD5 hash:
7f9f5628b1698378cecaff303fb4cf2d
SHA1 hash:
4dd8588e204f8645afc005cc7deb8572df5f9103
Link:
https://www.unpac.me/results/1761eb44-d7c2-41c2-bf56-197a59ef7378/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ab89b325e3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2645381/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/393380/

Comments