MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1
SHA3-384 hash: b3928658cffddbb2a6ae3514d466903eb5359eec6cca6fecf72de255ef1f83b766f8ae8a2baa4048f4d01fd08de83b30
SHA1 hash: 31cb063d7b2fb995c20ddd31781f9ba4840cee95
MD5 hash: d39584dc7f129d2393d435c566c008c8
humanhash: salami-hamper-bravo-fanta
File name:BL00CN.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:747'008 bytes
First seen:2023-06-20 06:27:41 UTC
Last seen:2023-06-20 12:12:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:jb903Y5HHJHHlHHTHHHH9UuPM7q6bpw4dcZda/igJXRf0osjxEc+304qD89kuKBl:jb903Y5HHJHHlHHTHHHHyzu4CZdO/fHP
Threatray 5'447 similar samples on MalwareBazaar
TLSH T180F412181ADA862BD4270F786460F370923D5FD97622D79F1DC7BC87BA127CC0A3561A
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2b2555676501612b (15 x AgentTesla, 3 x Loki, 2 x Neshta)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL00CN.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 06:51:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f9b0a5a-3425-4bde-990e-c14a6f93428f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400828/
Detection(s):
Porcupine.Unclassified.139610.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/649146fd0d4f96f7b605d828/reports/22039398-8f47-431f-9b29-714b6f7eb920/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8109f28f-7496-4f8e-bdaa-50884f08c2c3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258432
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 01:21:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jl6icorwkpdbcjijhin6hl4xryiszw4itfy5isaqzmnrwuvf36yq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
37dc167da39f0b4322d8936d32185c2c99931b63284cc9edb230abd513dffbf1
AgentTesla
38a9f881eb28d8f75c2c21a9cb4de15e472866346c747c480e8e6ec485982067
AgentTesla
6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b
AgentTesla
779a609fb967044a625ac9771921cdbcd4f07991f407014a1576e092826f11ec
AgentTesla
841c2906a20d94ec86b77f8521073f13981909c97a739a06f84a7bb9dc9cbe6b
AgentTesla
a01e10efbff0a7a5e5d9ecd12dbc627eb9c776ed1f73e936d85644e22877ddd2
AgentTesla
a7880f86bd0bbb436dde37febb6168a0fbc51978378c0f5fd8f024d3c6487a7c
AgentTesla
aa23406d036894ae210e0531e6014c1377bdb409619cde6143e69d0a8dc7b85b
AgentTesla
af1bcd9ba9a15d74a8819dc87f8032d22c4f26b4b5d10577e6544fa9674c7fbd
AgentTesla
fc15e945d8f642f13960c48e212d2cbff3e9e3890cbac0b17ace14273cac0458
AgentTesla
+ 5'437 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230620-g8bz4abf2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1120509433039036426/CHk1dHvXD5PiQUTZkUhCL_c52ftNU8zduaGdPmlGMX1MHuZ5VFEQUK0TyYq7I2w0h9VW
Unpacked files
SH256 hash:
bf30f7032a6e2fdd6a872718de569645dda2c9e734a4f90a77e5af9a58d75812
MD5 hash:
29432c0db5445ce74b8a1042234187af
SHA1 hash:
fdc1bce5c868fbaed48ff27b3cc73b752bc66e75
Link:
https://www.unpac.me/results/d82680e2-c657-454a-bba9-48e7f7ffc420/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/d82680e2-c657-454a-bba9-48e7f7ffc420/
SH256 hash:
a00b2248c23de310a47ed55f40fc15c310c028a836d801989e93ca03eafd32b0
MD5 hash:
013ac4c31551d70865ed71872a07702e
SHA1 hash:
afcbefc9520b761f32ceea9f944f1d5f57c064f1
Link:
https://www.unpac.me/results/d82680e2-c657-454a-bba9-48e7f7ffc420/
SH256 hash:
a58ae6dbedb232d1d37865cb1d33d30ad2bb9f809601cd92b48c592994b1941a
MD5 hash:
d93575ffb3d5f5f1fd9d64242a9c1cbf
SHA1 hash:
ad3d5b79eebec7989798600ecda4bfab53143b05
Link:
https://www.unpac.me/results/d82680e2-c657-454a-bba9-48e7f7ffc420/
SH256 hash:
727fdfdb0a689277e0189ff3e693bbde5020b35f73c1f4bfea867e263b18fdb0
MD5 hash:
ae22f35378931c743dff9887c54b368e
SHA1 hash:
9d482d45b9e2f5c9b938ef1d8395f6cef893d276
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d82680e2-c657-454a-bba9-48e7f7ffc420/
SH256 hash:
4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1
MD5 hash:
d39584dc7f129d2393d435c566c008c8
SHA1 hash:
31cb063d7b2fb995c20ddd31781f9ba4840cee95
Link:
https://www.unpac.me/results/d82680e2-c657-454a-bba9-48e7f7ffc420/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4afc813a3653/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4afc813a3653c61125093a1be3af978e112cdb889971d44810cb1b1b52a5dfb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400828/

Comments