MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4adbefef01b1f96852f2f9029f6ccff66e8a20dfeeab348c3fffa98145f5a7e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	4adbefef01b1f96852f2f9029f6ccff66e8a20dfeeab348c3fffa98145f5a7e0
SHA3-384 hash:	d1efdc3fda9d1329dace0b479c8387d5c0feeeda41fc8a4cd06894b77fe7c8174ffeffcd8b463f86672aa457785bccec
SHA1 hash:	369cab9fad55f59a7a1cf66857d9225cf2232606
MD5 hash:	b3398e771363be479534858ddce2106a
humanhash:	pizza-monkey-undress-carbon
File name:	nnnb.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	623'104 bytes
First seen:	2020-11-16 06:00:44 UTC
Last seen:	2020-11-16 07:45:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:I35UEM4VbJ4//rzhppYNo3zpxWCAdhm/wQmfqDJL6T86:I3cMmnhppkoDWCAdhQwTqDJLN
Threatray	1'203 similar samples on MalwareBazaar
TLSH	42D4120179E94A76C6FE0674FB6186005E37E944F10FE76B2417E8FCFA43B8269416A3
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20201116-0008.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/536950

Signature

.NET source code contains very large array initializations

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4adbefef01b1f96852f2f9029f6ccff66e8a20dfeeab348c3fffa98145f5a7e0/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-11-15 20:49:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jln673ybwh4wquxs7ebj63gp6zxiuig752vtjdb776uycrpvu7qa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

13af8f732fea5ea0c0c60a400deb50a66677d5e70b3988766728e12a4283348b

AgentTesla

19ffc5a627d649823f1c007aca79d31017642186ecd00d9bbe5ee6d7f557a41b

AgentTesla

3745a056d8f798d0b84a3b1cbaf5858f38f1f7cc3198d66a95e65c18302fba03

AgentTesla

49ef497b6d6e202415f3af71ba32397a28851f815944e882e07a1d9ec6ac3f46

AgentTesla

59d7b71538a37e7b11db4e6ea6d37d6d12580ad7d415489f4524f7d5a75ffda3

AgentTesla

9d36d33688fefea55f7b2b7c25165ab3a85319b5f466174fa2396537187eabe0

AgentTesla

a02ddaa108e3ffefb5b7024adf7190b5eadbd7b73d91f7380aeaffbd01b4cbf4

AgentTesla

a9de7245d53941bf8ef3710f1d03034b84763973bb5504d1fbb070365733834e

AgentTesla

d9558d1d57b828c004184004ace0763b53e65ad5fcf03bf2eca1217b97238184

AgentTesla

+ 1'193 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201116-n4f23nxxj2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

4adbefef01b1f96852f2f9029f6ccff66e8a20dfeeab348c3fffa98145f5a7e0

MD5 hash:

b3398e771363be479534858ddce2106a

SHA1 hash:

369cab9fad55f59a7a1cf66857d9225cf2232606

Link:

https://www.unpac.me/results/f69955ce-3c72-4bfc-aa2f-b857b5d14070/

SH256 hash:

46ce313cf51528d8f968fb309791011f336f7112cf890f0675decb9a13a644fa

MD5 hash:

3db26a27dfac5c5881dc41137e8254db

SHA1 hash:

0793abc7cd8e4c653533b1072d8a39d568025971

Link:

https://www.unpac.me/results/f69955ce-3c72-4bfc-aa2f-b857b5d14070/

SH256 hash:

7f29476ee42521f367fe8166f99b33ed627e8952b2fa2d705dce22b9602c661f

MD5 hash:

86de8672e1dd8ddf75c005ff2965a4de

SHA1 hash:

f5f300357b7db109b0824b800c6ea35c9c021633

Link:

https://www.unpac.me/results/f69955ce-3c72-4bfc-aa2f-b857b5d14070/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.