MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b6468989653964cef811f5f54369376c1f07ee33a4d5cb279374a03d0c06a9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b6468989653964cef811f5f54369376c1f07ee33a4d5cb279374a03d0c06a9d
SHA3-384 hash: de612f7c875784797f0e22fa354a749d014169cc50c6324f0be0e4deea38b8aaf01d05627e4de4b999ad5ef834e27784
SHA1 hash: 9cec3ad66b75d5698d841be03ee7d3be898ad5cf
MD5 hash: 816c7445ec32040f1cd61f06da1265b3
humanhash: saturn-oven-double-timing
File name:RFQ098763456789.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:858'624 bytes
First seen:2023-03-10 13:05:42 UTC
Last seen:2023-03-10 16:28:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:SyvpWnX9zt58IXAExxphTTYLGJ/xdVzsEF0i6CPB+VxdfRmvxjHYKM6UGtpSsY/z:SrNRfJxgxsxE8N8zR
Threatray 1'320 similar samples on MalwareBazaar
TLSH T1DA054B243DFA901AB273EFAA9BD4759ADA6FF7233707A45D109103860723A81DDC153E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe RFQ

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ098763456789.exe
Verdict:
Malicious activity
Analysis date:
2023-03-10 13:06:29 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/37477b41-b1ca-4a38-ae73-0fce338ad1c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373405/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12316.32559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/640b2b3d8a02c7ebaf240dbd/reports/9e0ebe38-90e0-4b4d-9ee1-2bebea6531d1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4b6468989653964cef811f5f54369376c1f07ee33a4d5cb279374a03d0c06a9d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42d8865e-c911-4a76-a6a4-efd923407a43
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191220
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b6468989653964cef811f5f54369376c1f07ee33a4d5cb279374a03d0c06a9d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-10 03:32:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnsgrgewkolez34bd5pvinuto3a7a7xdhjgvzmtzg5fahugankoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3221b60a97d6becffd25f5aadc1679400a41f91e2538f203761809f9dd65039d
AgentTesla
4097ec9b7e47872f529451d84c79c68d22016553e63c95162306354a1b15a9d1
AgentTesla
441db0ba656348d924bb8cd264d09f13cc1f5d1f457ce758aa5baed1ee029fb6
AgentTesla
589459202b13d455eb66686b0ad19c3dcadc8b7b915515fced84ede742868c10
AgentTesla
60756600b313edbba5f10915507ae6f7e1fe22bb7dc34e7efa2c1503441f8736
AgentTesla
6ae9e95178fbe3f0b8d2495b927ebbba4edf143d9d703170d6a309bce7e8aad8
AgentTesla
8c0e721552c34db7f85815bb3dd9e2847df1deffdb9e889fdf23127a8a81d2f9
AgentTesla
949d00495bd796de4f53cad348b8908e65f3cf92ccaeec90b165988ef0517bbb
AgentTesla
aa5336fbd1f094aabf356588943e259fdb8330a19e9e957bf8bbcac9d3ae7401
AgentTesla
f81ea0341cc62ab6c2d730bcfd2d03ec3a970030b028c2083c3e4cb59b2efe9e
AgentTesla
+ 1'310 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230310-qb3k8afe61/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
ac2ce84a763143cc16745988e0cdb5398206f4b834c8b5acb28cb69836469976
MD5 hash:
b0b4d33b487ada5cb4e16427108a3629
SHA1 hash:
c41807cf5ff4b56c1b4d5ec2ebffca3cba9193ba
Link:
https://www.unpac.me/results/f5b514f4-e9ef-48b6-a837-1a3b7c5f0644/
SH256 hash:
ebae53078ad89c341b0f4ce1de0266250507cc4aeefb8c584ede6321b506ec87
MD5 hash:
c650d65e5b9e49c38fb1d76806c73bd3
SHA1 hash:
17ea7265ca7c33da35677ecab8e28feb330d7fa5
Link:
https://www.unpac.me/results/f5b514f4-e9ef-48b6-a837-1a3b7c5f0644/
Parent samples :
193e2444ca045fd813211cd2c4093f882b6d0bfe183d7a66ad3492bf90b00d3c
b8ebf4c879d3231dab03c47776dc6c85a9c46ac60562c99052a6c29546c886f1
80ae62b5d4012d415c4cb598140cfb6ad485b07f712a0c40d31d6fb46c4dd922
62ba9abf9812bfe84b4861cf596cee1c5a0cc1909e838ee8a31330509bd65147
df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590
41ece53ba5688f97959fa0ebdbfb979c0b60ee534e05b094bae8cef005875876
0972105c3cb2d74e7cb3f00ddcc6cc96089524d5625b62f71e27d5857c6eba40
SH256 hash:
4b6468989653964cef811f5f54369376c1f07ee33a4d5cb279374a03d0c06a9d
MD5 hash:
816c7445ec32040f1cd61f06da1265b3
SHA1 hash:
9cec3ad66b75d5698d841be03ee7d3be898ad5cf
Link:
https://www.unpac.me/results/f5b514f4-e9ef-48b6-a837-1a3b7c5f0644/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b6468989653/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b6468989653964cef811f5f54369376c1f07ee33a4d5cb279374a03d0c06a9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1afabf84d9e0dba7f63981304279d403fbfe1370af131720529433f2be456b98

AgentTesla

Executable exe 4b6468989653964cef811f5f54369376c1f07ee33a4d5cb279374a03d0c06a9d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1afabf84d9e0dba7f63981304279d403fbfe1370af131720529433f2be456b98
Cape
Cape
https://www.capesandbox.com/analysis/373405/
  
Dropped by
MD5 319d4237496b1b37be0f92e01a5668b1

Comments