MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b829090c73292ec0db9fd7f3eb6bf386ff101065477fe3caa7c5f00d513f089. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	4b829090c73292ec0db9fd7f3eb6bf386ff101065477fe3caa7c5f00d513f089
SHA3-384 hash:	e5bbfa026297f53f5f100596d4756bfca38507e37b49ec086a896e0c038bcaee167033aa4280454cfecb7b96c8728239
SHA1 hash:	53a5cb9065c4a98fcf2c9d9870c11e426d7ed5de
MD5 hash:	ad039648ce4e9af03693c329132023c0
humanhash:	fanta-echo-leopard-early
File name:	PEDIDO.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	380'373 bytes
First seen:	2023-11-26 18:19:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7eae418c7423834ffc3d79b4300bd6fb (54 x GuLoader, 17 x RemcosRAT, 16 x AgentTesla)
ssdeep	6144:bNDlOltlhgyorPXMBxixIgYihgQyYSHuSLPRn+4lC6prZcV28dfiBWkFYlP/S:but7gy0fMxixXYihgQTSOSLo4l9pt2f4
TLSH	T15B8402826754E16ED0A78B327B76ADD646F43C2E2461350EB3B0FB5E347F602860B725
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4e0d27230b95858 (4 x AgentTesla, 2 x GuLoader)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/460397/

Detection(s):

SecuriteInfo.com.Trojan.Agent.EKCH.14211.11984.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% subdirectories

Delayed reading of the file

Searching for the Windows task manager window

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65638c5a1dea9b05c3cb9446/reports/0f6d8f8c-8ed1-4290-91f7-a110c7ee1ca4/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4b829090c73292ec0db9fd7f3eb6bf386ff101065477fe3caa7c5f00d513f089

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bd53386b-7f43-4dde-9cf2-7776b4060b92

Result

Threat name:

GuLoader, AgentTesla

Detection:

malicious

Classification:

troj.evad.spre.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1348087

Signature

Antivirus / Scanner detection for submitted sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4b829090c73292ec0db9fd7f3eb6bf386ff101065477fe3caa7c5f00d513f089

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b829090c73292ec0db9fd7f3eb6bf386ff101065477fe3caa7c5f00d513f089/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-11-22 23:24:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 23 (56.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jobjbeghgkjoydnz7v7t5nv7hbx7caigkr374pfkprpqbvit6ceq._file

Verdict:

malicious

Label(s):

agenttesla_v4

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231126-wyq4laah38/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

AgentTesla

Unpacked files

SH256 hash:

1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

MD5 hash:

f27689c513e7d12c7c974d5f8ef710d6

SHA1 hash:

e305f2a2898d765a64c82c449dfb528665b4a892

Link:

https://www.unpac.me/results/c7e4cfd9-530b-4afa-8a0b-264fff594657/

SH256 hash:

6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

MD5 hash:

8cf2ac271d7679b1d68eefc1ae0c5618

SHA1 hash:

7cc1caaa747ee16dc894a600a4256f64fa65a9b8

Link:

https://www.unpac.me/results/c7e4cfd9-530b-4afa-8a0b-264fff594657/

SH256 hash:

bc4f95b716d26bbf9a6434569a6d777755ba233666a9ce57cb393ca25b82212f

MD5 hash:

d4be14b49e319ba76c559e6c2c284a04

SHA1 hash:

ef39e0be34505530da6710d450c0d97922ef0e1d

Link:

https://www.unpac.me/results/c7e4cfd9-530b-4afa-8a0b-264fff594657/

SH256 hash:

f344713a08459675b6db6fc79e93f7813d8793af6fd9a2c8c64aa1a0a0e0d218

MD5 hash:

d53c32cedd3d4c37d0a35183ec531ed9

SHA1 hash:

1184372024a780df8234ac67c4a5db4d303adbc5

Link:

https://www.unpac.me/results/c7e4cfd9-530b-4afa-8a0b-264fff594657/

SH256 hash:

4b829090c73292ec0db9fd7f3eb6bf386ff101065477fe3caa7c5f00d513f089

MD5 hash:

ad039648ce4e9af03693c329132023c0

SHA1 hash:

53a5cb9065c4a98fcf2c9d9870c11e426d7ed5de

Link:

https://www.unpac.me/results/c7e4cfd9-530b-4afa-8a0b-264fff594657/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b829090c73292ec0db9fd7f3eb6bf386ff101065477fe3caa7c5f00d513f089

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/460397/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample