MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc
SHA3-384 hash:	5384ab05b4c382565eb626d5403769d68f17156485e641fc8ff1dfe50645a9eab9252afc4b9551b7efcb5e14a2f74e13
SHA1 hash:	0ffc108c58c0ffd2d93fc1cb031b37f30b2721cb
MD5 hash:	1bf654965b7ea20f86d0681bfc3bef2f
humanhash:	bravo-texas-india-music
File name:	SecuriteInfo.com.Win32.PWSX-gen.21925.16666
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	728'576 bytes
First seen:	2023-11-14 08:31:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:weIplfmk5RRdzO97AVRRjfPndYkanOHZjbtmcSC/OdDrrCKdb:eOk5R/z9VRpPWUxJmcSCcDrr
Threatray	1'776 similar samples on MalwareBazaar
TLSH	T14CF401263A2C89B3D22C01F9508A118457B1FF26A563D3844DD7BFE967F37C1EA06297
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/458450/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.21925.16666.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Reading critical registry keys

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6553308528bfca96f8ab57d8/reports/7f9752e3-9ee2-453a-aca7-c145d7a3102b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dca84c63-9b32-4d00-bdbb-20ed26b8bd7b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1342169

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-11-14 06:53:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 37 (45.95%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jlrqjumu3pvmgjqynqy4lc57j5gio6i53oyer36djbkooxo6sg6a._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc

AgentTesla

a8c8e8ba3a18a34c8404770d291583d45136837bf99f52dd2015bbdfba5f5a50

AgentTesla

e4e1ed1bd87db14998f1a0e348c48a3ae7ac57cbe35ee2741cd0c725920f6dc7

AgentTesla

ee7432148405e04f7d9f06bf7705fdcd737a50b0f8b8f0fe7c0c7e01a51e75cb

AgentTesla

f281d0cd25d9dc8b85212323cb16829069afc3978f6f89b3b10d228da0da5d35

AgentTesla

+ 1'766 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231114-kesmjahf9y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/2d6cb611-69db-44b8-889e-26f75d2abad9/

SH256 hash:

76482f1dc9b0639dd6b2d762e09101875e207e8c60e146a43ca182a4c13d6afa

MD5 hash:

9561bc00330bfa400784c1b3b2075d0b

SHA1 hash:

b98f0014f428085dea5ea44108d64d9119e3d698

Link:

https://www.unpac.me/results/2d6cb611-69db-44b8-889e-26f75d2abad9/

SH256 hash:

3ebf0b01d89dd2ecf3e400607dcbf009fbf6e91111e2322d899ee24ad2394d35

MD5 hash:

93ba7d127ef9a6affea800141ed6581c

SHA1 hash:

a0c94d023cd4bc453de2c056f09d528ea7b516ba

Link:

https://www.unpac.me/results/2d6cb611-69db-44b8-889e-26f75d2abad9/

SH256 hash:

691f9cba987d99b605b966bb2eacfea2d7a7773eb393ba5bc0c9cba71999d6dd

MD5 hash:

4c6b0eb388b4fb3803ebdc532212c1dc

SHA1 hash:

0d7236aa024fd66852ca0f7c62e0c4161115c89f

Detections:

AgentTesla

win_agent_tesla_g2

Agenttesla_type2

Link:

https://www.unpac.me/results/2d6cb611-69db-44b8-889e-26f75d2abad9/

Parent samples :

a8c8e8ba3a18a34c8404770d291583d45136837bf99f52dd2015bbdfba5f5a50
e4e1ed1bd87db14998f1a0e348c48a3ae7ac57cbe35ee2741cd0c725920f6dc7
4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc

SH256 hash:

4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc

MD5 hash:

1bf654965b7ea20f86d0681bfc3bef2f

SHA1 hash:

0ffc108c58c0ffd2d93fc1cb031b37f30b2721cb

Link:

https://www.unpac.me/results/2d6cb611-69db-44b8-889e-26f75d2abad9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4ae304d194db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/4ae304d194dbeac326186c31c58bbf4f4c87791ddbb048efc34854e75dde91bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/458450/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample