MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bfa748a871e9b9e6f1defff58eba0046b0b838327845185d6ba6eaa5fc85f73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bfa748a871e9b9e6f1defff58eba0046b0b838327845185d6ba6eaa5fc85f73
SHA3-384 hash: d40aa3dc7874db4d87ddac42ccfb6e6cb4967b0656b2b04cae17c3c236f97b0847d591200afc17976c6b22e20b7358c8
SHA1 hash: c27c09eb0d960539f3949fee85cd9b764fe40767
MD5 hash: 6979d389f97f72ff28a44b48f847cbb8
humanhash: stairway-lake-blossom-beer
File name:6979d389f97f72ff28a44b48f847cbb8.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:547'840 bytes
First seen:2021-12-16 09:27:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:A3uuHoA5QfJmLGlFK8Z6W3TmMG473FpHQWe4Vmk+uSK3BtGG:RYoA5GskXx3TXG4hpw14Vmk1SK33GG
Threatray 13'465 similar samples on MalwareBazaar
TLSH T1C3C412403FA88717C63D1BFC28A2512103F5A11A7617F7856FD5B2EB27A2F814B81AD7
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VIET HVEDEDS.doc
Verdict:
Malicious activity
Analysis date:
2021-12-16 07:58:55 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/fef9de93-5618-401a-99c9-5acde59b19d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214544/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61bb06a76daa353fa3b4e76a/reports/6a69cf7f-7a4a-44af-bb52-aa78ff403032/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aeb89663-e366-4536-bc51-024ee7863d07
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908398
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4bfa748a871e9b9e6f1defff58eba0046b0b838327845185d6ba6eaa5fc85f73/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 09:28:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1332f016c96028681eca98552bc1e865b49ebf45484cdba2c665ccbda2133a32
AgentTesla
4b7ebbf2cb82e29b854f646b66e3756b5226910b42996d267fb770eff225954d
AgentTesla
65e72e73312c4f4b1b721cc8a2ffea2e473bb4c225918e545183bce15f6662d5
AgentTesla
703cb8e9deb97402bf8f621f17e16b765d2a3584b383af7808c8b1b6d2d163a8
AgentTesla
868a234549cdea90ac328cb48cf80a15e46895528ee49ea900df95e15757fc41
AgentTesla
8e4f36f7dd0346096fd4c674c64008f9443e839d09f623631f88cc25cb849311
AgentTesla
ac6ff436075886c4a58ef900c453b12fdd17464e6d803ddd7c4745ac224e0c1f
AgentTesla
b4d2896300bf333a24f8552fd4cdd7fb233d4ec8bfdde46a54e935110f927943
AgentTesla
c6b029b8de634379fabbf8df9972527368f763785debc33ae45dee1df72c0001
AgentTesla
+ 13'455 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211216-lfb7lsceaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4169d52ef6b5a484ebc1d91b000421532d2434b5f3626c7c9771c7797c94c6d0
MD5 hash:
bd82e347d0b28cca7b1368138b872311
SHA1 hash:
efa2c40e8a65dc23e08ed996c40d6ed7cff14818
Link:
https://www.unpac.me/results/d082ce6f-6b14-47e3-950e-b20fbbca49bc/
SH256 hash:
8afafc2d7e03bb2b7fda2e58946234740af97aa37afe0940788697bc51c2deb3
MD5 hash:
a3ac6085d4e37166a8d0bf4425cff272
SHA1 hash:
59dfc4f9e3515d5156e202808ff50ad3bee52ca4
Link:
https://www.unpac.me/results/d082ce6f-6b14-47e3-950e-b20fbbca49bc/
SH256 hash:
352c6eae2a925a1f1048c08c483ddc7c24b9cfb9dfa0922a7f8d1a0a5e95f771
MD5 hash:
6b790194b95b667ae7f0d84b07b717e8
SHA1 hash:
1d24d5f149e216163b1ee57a4e36c0be9b430bf7
Link:
https://www.unpac.me/results/d082ce6f-6b14-47e3-950e-b20fbbca49bc/
SH256 hash:
4bfa748a871e9b9e6f1defff58eba0046b0b838327845185d6ba6eaa5fc85f73
MD5 hash:
6979d389f97f72ff28a44b48f847cbb8
SHA1 hash:
c27c09eb0d960539f3949fee85cd9b764fe40767
Link:
https://www.unpac.me/results/d082ce6f-6b14-47e3-950e-b20fbbca49bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bfa748a871e9b9e6f1defff58eba0046b0b838327845185d6ba6eaa5fc85f73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4bfa748a871e9b9e6f1defff58eba0046b0b838327845185d6ba6eaa5fc85f73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1890055/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214544/

Comments