MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b9e0192120c6a09ac2d2c2fc746115035acf7a2d76e4e16c6bb229a96b61cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	4b9e0192120c6a09ac2d2c2fc746115035acf7a2d76e4e16c6bb229a96b61cd6
SHA3-384 hash:	e73f893106f77f748879e595af4dde14025801d06a20c49e88602e4905c4db1784fea5c7e2d8767e3e3af4e800332316
SHA1 hash:	741dbff396ff8e19f3cae1da3f6ba544ae0988c9
MD5 hash:	ceaeb1219c2dc105358d2ba55a4db41c
humanhash:	eight-fanta-crazy-dakota
File name:	SecuriteInfo.com.Trojan.Siggen19.15865.27032.4434
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	625'152 bytes
First seen:	2022-11-30 16:42:10 UTC
Last seen:	2022-11-30 20:30:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:7aqbW9hZjkEE5diLXApOUuGRYhajojt/3b1P4:7aqbJdiEpnuOY8Ghh
Threatray	24'180 similar samples on MalwareBazaar
TLSH	T1AED4F76287B1C946F93388EEA3EC5B514CA851C149B84849CD273E905E78C6BF4FC9F9
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	1032d232e98c3689 (16 x AgentTesla, 8 x AveMariaRAT, 7 x Formbook)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.Siggen19.15865.27032.4434

Verdict:

Malicious activity

Analysis date:

2022-11-30 17:58:37 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/039f658e-068b-4f4a-b480-5e23d0f840f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/340642/

Detection(s):

SecuriteInfo.com.Trojan.Siggen19.15865.27032.4434.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6387881769830678d7160df4/reports/2a31825f-2dbb-48a1-9e0c-55c079f965c7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1124204

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b9e0192120c6a09ac2d2c2fc746115035acf7a2d76e4e16c6bb229a96b61cd6/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-30 15:40:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jopadeqsbrvatlbnfqx4orqrka22z55c25xe4fwgxmrjvfvwdtla._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

194b21139e3a9a343c63617ad33ee48abdfa1566a4302a04b65df43888395400

AgentTesla

544bfbc907da2d25976337ae0bfb6f7135e16f01cadbacb62c21e9020f953f35

AgentTesla

54983544e9fd6e0423bcd9ea883e4ff1375abcdd58876d79701e9d24882500ed

AgentTesla

64b497c548522493d43bceed2cc41630f90f044eee97c973aadf9a230d4ec500

AgentTesla

a058e4db6871ecf56adf444c908980dbfb1a6eddc2cb2eae86d86c6df6111c30

AgentTesla

ceeaf351408125592c58eb70508f0387f293210a0f8ce14cbbda70fd6ef2254c

AgentTesla

+ 24'170 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221130-t78nwsbb3y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/28caeae4-2002-403b-8f93-d25b9f6088da

Unpacked files

SH256 hash:

f0bdf2368a88b37dbd84c9f24db60ffe10fca7bdca39de6cd2e06b8844073a79

MD5 hash:

7771cd2e0fcb1eef469178e633c55a03

SHA1 hash:

c7d5175f4ba90ae1bfde700d690e874fc7a3b2ce

Link:

https://www.unpac.me/results/aa4d6c93-1aff-4ed9-b668-5680a528ffe6/

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/aa4d6c93-1aff-4ed9-b668-5680a528ffe6/

SH256 hash:

2c3d3544eddae33c9dc198f736f0931feb4d339d018d5ffaeeb1d59b59a26c6e

MD5 hash:

1d96978d0f699652421a3d7a1b0f246c

SHA1 hash:

8769cb662976c6f230d6af2e136534704992d115

Detections:

AgentTesla

Link:

https://www.unpac.me/results/aa4d6c93-1aff-4ed9-b668-5680a528ffe6/

Parent samples :

1fe08e7ba52b00e78eb445d792ee3d03648b9b90ea02902e875df4668d490ac5
e83343e553c570230db6b0913a71a19c4d32356a3efccf716c5412595d2b81fc
4b9e0192120c6a09ac2d2c2fc746115035acf7a2d76e4e16c6bb229a96b61cd6
d2ca24f7ef22dfa8be6dc45ba0a64350d668bd0b9fb5a7be7d82305313d404bf
2c4a2cc243ae3181ece66667f70d020931b62714e6a0f96ae9e2bb134cf480e1
c5905f073e0cc529d56b3a0d78806d43bbe76a06245dc1e09d1919745cabf355

SH256 hash:

148a9d25c6ea5784dcf1d03732334ab75636f1bc6f722bb389aa440e4b363083

MD5 hash:

b5c3ee6146c2342cb1200503d4c685b7

SHA1 hash:

6292165afb33073592301e607ad6d30d80c228de

Link:

https://www.unpac.me/results/aa4d6c93-1aff-4ed9-b668-5680a528ffe6/

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/aa4d6c93-1aff-4ed9-b668-5680a528ffe6/

SH256 hash:

4b9e0192120c6a09ac2d2c2fc746115035acf7a2d76e4e16c6bb229a96b61cd6

MD5 hash:

ceaeb1219c2dc105358d2ba55a4db41c

SHA1 hash:

741dbff396ff8e19f3cae1da3f6ba544ae0988c9

Link:

https://www.unpac.me/results/aa4d6c93-1aff-4ed9-b668-5680a528ffe6/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4b9e0192120c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/4b9e0192120c6a09ac2d2c2fc746115035acf7a2d76e4e16c6bb229a96b61cd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340642/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample