MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b9320bec4f05c232b2a22cfbe3d8816cdc6b6b069dcc4eaf19cb687c2da657e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b9320bec4f05c232b2a22cfbe3d8816cdc6b6b069dcc4eaf19cb687c2da657e
SHA3-384 hash: b5e834d8a2cded35b4da1297edd353081658bcc11ecf05398f9eb4b26b4d7c9be9520e8b00758ce7d25bb4a256d891ce
SHA1 hash: c6fad1108c380156ddb1dc61ad51e09f09f40e8a
MD5 hash: 473074e5983dc8f497f95e459035d231
humanhash: august-washington-music-hotel
File name:Midgjuhe.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:113'664 bytes
First seen:2022-02-11 08:23:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:iDzWPOpdry8o05lhUqrAMgTPA1p8Dja+auDOLQyDl9hFDO4rQ6ZQY7j1lQ7wXVAp:GzWPOpkCvq4C
Threatray 14'801 similar samples on MalwareBazaar
TLSH T181B3FF50E94DACD9E7D8C1B3B93A9B100575BAEB92F8819F2265371452F37C320B7D0A
File icon (PE):PE icon
dhash icon e4a4a48c96b2f074 (22 x AgentTesla, 8 x Formbook, 5 x SnakeKeylogger)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240875/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62061d27289e2f3e4fc18e3c/reports/c5bfec0d-a9a7-42e7-b010-fa9e1b1363db/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd5fb2c3-fbeb-4412-84dc-0b3f440a546e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938288
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 570765 Sample: Midgjuhe.exe Startdate: 11/02/2022 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->38 40 4 other signatures 2->40 6 Midgjuhe.exe 16 6 2->6         started        11 Test.exe 14 3 2->11         started        13 Test.exe 2 2->13         started        process3 dnsIp4 30 cdn.discordapp.com 162.159.135.233, 443, 49747 CLOUDFLARENETUS United States 6->30 24 C:\Users\user\AppData\Roaming\Demo\Test.exe, PE32 6->24 dropped 26 C:\Users\user\...\Test.exe:Zone.Identifier, ASCII 6->26 dropped 28 C:\Users\user\AppData\...\Midgjuhe.exe.log, ASCII 6->28 dropped 42 Writes to foreign memory regions 6->42 44 Allocates memory in foreign processes 6->44 46 Injects a PE file into a foreign processes 6->46 15 MSBuild.exe 2 6->15         started        32 162.159.129.233, 443, 49763, 49765 CLOUDFLARENETUS United States 11->32 48 Multi AV Scanner detection for dropped file 11->48 18 MSBuild.exe 11->18         started        20 MSBuild.exe 11->20         started        22 MSBuild.exe 13->22         started        file5 signatures6 process7 signatures8 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b9320bec4f05c232b2a22cfbe3d8816cdc6b6b069dcc4eaf19cb687c2da657e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 02:48:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jojsbpwe6bocgkzkelh34pmic3g4nnvqnhomj2xrts3ipqw2mv7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08a29dc6fe654440e5f4381b8394a4dc30da8b994e0d0a2e1cb9ef32591fb13f
AgentTesla
3856dcf8e7f4098a54379da0b07bac3bc497a5e7c14914f880f241dd6ee65464
AgentTesla
3b1da48931ff3140f0b370a3215b15e5774b8cc2597e04b31cd6f241671ccbdc
AgentTesla
3ee4e620dd7cb6d8a6f604e5653a4f5cbf1258032ffc7d13ae9a415c672a5713
AgentTesla
75c011f9b3573845b4a39599d433530ee9915ad39c443a299f142b919df1ee82
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
f0989d4ad8e20e8058adbbd82ec73fed0af327ad40439038bc3cd09ff7ae765f
AgentTesla
f9989bce3ddcc0eb0f95bae744a31bd28e06b229f2757ad7fe7a92c8952ac78f
AgentTesla
ff89ced611d4ad5167bec7392316bd7a75c45cfdde67d26f248178aa728b263c
AgentTesla
+ 14'791 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220211-kapp3seagj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4b9320bec4f05c232b2a22cfbe3d8816cdc6b6b069dcc4eaf19cb687c2da657e
MD5 hash:
473074e5983dc8f497f95e459035d231
SHA1 hash:
c6fad1108c380156ddb1dc61ad51e09f09f40e8a
Link:
https://www.unpac.me/results/83fedf49-6a44-40c9-8b25-67d35383d818/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4b9320bec4f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 35248022f594b4c2af73374ce544ab23f99c26471bc8f6fafc898b3f5b5a9639

AgentTesla

Executable exe 4b9320bec4f05c232b2a22cfbe3d8816cdc6b6b069dcc4eaf19cb687c2da657e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 35248022f594b4c2af73374ce544ab23f99c26471bc8f6fafc898b3f5b5a9639
Cape
Cape
https://www.capesandbox.com/analysis/240875/

Comments