MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1
SHA3-384 hash: caae4bf8fdaf82fb497c9c100f7ecac249732d7815128a67f891624fd7f9bc9028852d15042b9cc53b83c512af2fea16
SHA1 hash: c20c283439e9ab4ebfd2a1bd43a37ec27db494ac
MD5 hash: 2107b9cb24164e7b6fc6b8552f8a6574
humanhash: fruit-massachusetts-pip-four
File name:2107b9cb24164e7b6fc6b8552f8a6574.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:894'976 bytes
First seen:2023-06-30 07:28:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0FxMq0mQB5AmZD9vOgux4JNP+i+dRgoTWTL59sEt+hzt6nIMUCaPtBoWev:KxMqPmZ1OguePB4goTWL5Cg+dIrCsv
Threatray 4'367 similar samples on MalwareBazaar
TLSH T16D158B3D29BC6723C174C7B5CFE18723B224982B3161DA365DC39BA54796E4229C327E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 393dccda9a8c3d39 (4 x RemcosRAT, 3 x XenoRAT, 2 x AsyncRAT)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.redemed.xyz:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
2107b9cb24164e7b6fc6b8552f8a6574.exe
Verdict:
Malicious activity
Analysis date:
2023-06-30 07:33:28 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/dfc5aab7-eba7-4565-8fa3-f175401ba898

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403970/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1995.21758.23833.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/649e8440cf99e7a5cfcc342d/reports/c08ee593-4155-43b4-92bb-6a7dda430a5f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/722a7b4b-76bb-43e1-8abd-bac3d662ff2a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1263693
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-29 22:57:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
24 of 36 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnaochl7zp46wh2jrcnpdg6cnkgd55x2v4wimfertupob34pf7yq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
007391d2d9045b56792ce040d658442ef6bebab5d5c60938c86a5835144a8d26
AgentTesla
1dd3caa0895d9aa12c35344464fc9a229b1d55e8d134e83362fe75753f36ae74
AgentTesla
3625699aceef8218cece58914659f6ba003e6f26ad033645ed738b4972050aa5
AgentTesla
806d84d7beb73d21f10339e37cc8cad779ab270fb80b79258268aa78fe85f9b0
AgentTesla
8cb05af5d5848832ac7006071a842f3566196a891cd232ff3602b550803e73c5
AgentTesla
8d47a0875bae9f6a20e36525e6be0c0450e7492fb540a1f65802601bf8e558bb
AgentTesla
987a4d7b9be473efd2aa0ff7f0958414d64e0fa058bbaadb702c2024dbc9562c
AgentTesla
c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea
AgentTesla
e57c444a50a0cb9ac14152220923763532f8a280c37ff45ee55ef28844740434
AgentTesla
+ 4'357 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230630-ja8yaahd31/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e6e75ccb860d44428ac74a922fec8afcfea01f4c87e32bdcb4ce2bbe89c43222
MD5 hash:
1a15304c29ce122aa965ade7e3add267
SHA1 hash:
ca3164744d3093bf17bd7e7742cef71d332a16c9
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
7f172c992a432859bfc19589ebc3e26a05d44beef3e9baa55e29a3932e885f8f
MD5 hash:
714f9d4bb0c4c023e2c4e1aa6077b500
SHA1 hash:
c9a71d53b57e4b751a1d6864e0b9dd1bb1bba1f9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
Parent samples :
007391d2d9045b56792ce040d658442ef6bebab5d5c60938c86a5835144a8d26
987a4d7b9be473efd2aa0ff7f0958414d64e0fa058bbaadb702c2024dbc9562c
e57c444a50a0cb9ac14152220923763532f8a280c37ff45ee55ef28844740434
4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
e6e75ccb860d44428ac74a922fec8afcfea01f4c87e32bdcb4ce2bbe89c43222
MD5 hash:
1a15304c29ce122aa965ade7e3add267
SHA1 hash:
ca3164744d3093bf17bd7e7742cef71d332a16c9
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
7f172c992a432859bfc19589ebc3e26a05d44beef3e9baa55e29a3932e885f8f
MD5 hash:
714f9d4bb0c4c023e2c4e1aa6077b500
SHA1 hash:
c9a71d53b57e4b751a1d6864e0b9dd1bb1bba1f9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
Parent samples :
007391d2d9045b56792ce040d658442ef6bebab5d5c60938c86a5835144a8d26
987a4d7b9be473efd2aa0ff7f0958414d64e0fa058bbaadb702c2024dbc9562c
e57c444a50a0cb9ac14152220923763532f8a280c37ff45ee55ef28844740434
4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
e6e75ccb860d44428ac74a922fec8afcfea01f4c87e32bdcb4ce2bbe89c43222
MD5 hash:
1a15304c29ce122aa965ade7e3add267
SHA1 hash:
ca3164744d3093bf17bd7e7742cef71d332a16c9
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
7f172c992a432859bfc19589ebc3e26a05d44beef3e9baa55e29a3932e885f8f
MD5 hash:
714f9d4bb0c4c023e2c4e1aa6077b500
SHA1 hash:
c9a71d53b57e4b751a1d6864e0b9dd1bb1bba1f9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
Parent samples :
007391d2d9045b56792ce040d658442ef6bebab5d5c60938c86a5835144a8d26
987a4d7b9be473efd2aa0ff7f0958414d64e0fa058bbaadb702c2024dbc9562c
e57c444a50a0cb9ac14152220923763532f8a280c37ff45ee55ef28844740434
4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
e6e75ccb860d44428ac74a922fec8afcfea01f4c87e32bdcb4ce2bbe89c43222
MD5 hash:
1a15304c29ce122aa965ade7e3add267
SHA1 hash:
ca3164744d3093bf17bd7e7742cef71d332a16c9
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
7f172c992a432859bfc19589ebc3e26a05d44beef3e9baa55e29a3932e885f8f
MD5 hash:
714f9d4bb0c4c023e2c4e1aa6077b500
SHA1 hash:
c9a71d53b57e4b751a1d6864e0b9dd1bb1bba1f9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
Parent samples :
007391d2d9045b56792ce040d658442ef6bebab5d5c60938c86a5835144a8d26
987a4d7b9be473efd2aa0ff7f0958414d64e0fa058bbaadb702c2024dbc9562c
e57c444a50a0cb9ac14152220923763532f8a280c37ff45ee55ef28844740434
4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
SH256 hash:
4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1
MD5 hash:
2107b9cb24164e7b6fc6b8552f8a6574
SHA1 hash:
c20c283439e9ab4ebfd2a1bd43a37ec27db494ac
Link:
https://www.unpac.me/results/9a5a30b9-75fe-4bfb-b190-6f4b1f60a359/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b40e11d7fcb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4b40e11d7fcbf9eb1f49889af19bc26a8c3ef6faaf2c8614919d1ee0ef8f2ff1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2673643/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/403970/

Comments