MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bf41cde4567b152c73e5443cf5665638c937f5591565de839f250a472179fd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	4bf41cde4567b152c73e5443cf5665638c937f5591565de839f250a472179fd4
SHA3-384 hash:	6efd8445ece5d011cf5c9137d8a0d8736b003b4860f5058bf69aad2d7966aefc4f8bc121cc52f2a255c234888bd220b8
SHA1 hash:	cf6985a603aaa0e332e5262e53a453c66889877c
MD5 hash:	cd5bd8deb83c85d0936153868b34dd06
humanhash:	romeo-kilo-five-bakerloo
File name:	SecuriteInfo.com.Trojan.MulDropNET.40.10767.28482
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	239'616 bytes
First seen:	2021-05-25 15:07:31 UTC
Last seen:	2021-05-25 16:02:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:zRXQhf/888tFyBtB6Ux3pfiDlQfJaBmcFAlQImZB+grQIvc7n8dQSOALR3bAIAYs:zTLqZadj7mz0xK
Threatray	5'256 similar samples on MalwareBazaar
TLSH	69345A2C1910FE26D16381B8CCC1F5FBE1945F1635211B9F9B97BF27763722A29A00AD
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.MulDropNET.40.10767.28482

Verdict:

No threats detected

Analysis date:

2021-05-25 23:09:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7c5f0cbd-5ca4-4d8a-a936-3e5235740516

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/162031/

Detection(s):

SecuriteInfo.com.Trojan.MulDropNET.40.10767.28482.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/791741

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4bf41cde4567b152c73e5443cf5665638c937f5591565de839f250a472179fd4/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2021-05-25 12:17:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jp2bzxsfm6yvfrz6krb46vtfmogjg72vsflf32bz6jiki4qxt7ka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2b128560da3f57b305996b0447be082b0a7d40d10ed3000c931c13c6f9ce8661

AgentTesla

3d652eb897291f8eb2fe8f9374007388b0cd426a797de77545b82a325dde762a

AgentTesla

931b74dae99d57d93b21fb72c0da9184b83e04f95e024e9a7990a6c57a73ac7e

AgentTesla

989f330817cadbe60308cdd0977792aa3ee8fd2f55b2e92ed32d2416de16c32d

AgentTesla

a8dba39ad00064bad947851725eb20e863581975d75d02e5e74ba6773918c7b1

AgentTesla

ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8

AgentTesla

b96e5b8548a31fc43385a31b1c23a9ad95440309ccc6baa10dced1833e118d5e

AgentTesla

d65fa2504374d19e221d6631799f41426450d650355098be07f7cfa667d80bf9

AgentTesla

df5e40d1e917f0bd4c424f65c8e2557d094f5eff22b4ba6f63f093333ebbb8a9

AgentTesla

+ 5'246 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210525-kr6jx1g1k2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4bf41cde4567b152c73e5443cf5665638c937f5591565de839f250a472179fd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 4bf41cde4567b152c73e5443cf5665638c937f5591565de839f250a472179fd4

(this sample)

Cape

https://www.capesandbox.com/analysis/162031/

URLhaus

https://urlhaus.abuse.ch/url/1282412/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample