MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1
SHA3-384 hash: 8f952df6291c444fd995f5163cafaa40a61ba56d21c1bee599f281bb2feaee7e7b8154ccdc9e29445b9fdf3912eab8a5
SHA1 hash: ce59437da47303a25b606870fa8fdf0568144efb
MD5 hash: 836cecd8d1e2e7c9146f9349209a9556
humanhash: island-nuts-fillet-quebec
File name:06082022,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:667'136 bytes
First seen:2022-06-08 06:08:41 UTC
Last seen:2022-06-08 06:21:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xqS+HBYnr6aWHNqXUEpEetujg6rOU+cCBq9yhPe1kgJp71GVCbo9q:chYOaWoUEpjtuk6rObcyRhPe1kiqkbo
Threatray 17'405 similar samples on MalwareBazaar
TLSH T180E4121933ED0B63D67D6BF988A9004087B0A62B6927F31E0E8535DF4AB77C4C666713
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
06082022,pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-06-08 06:10:06 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/f2fb05f5-7b12-488e-834e-c4358d05e755

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277619/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62a03cff6aa17a21fc2bb3ec/reports/4ba32701-9c92-4f9d-ac96-004fa4b7400c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85ed61fe-ba12-47e0-97e2-49d4727af33c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008745
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 641241 Sample: 06082022,pdf.exe Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Yara detected AgentTesla 2->33 35 6 other signatures 2->35 7 06082022,pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\eYkQhgmfuVSJV.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp3484.tmp, XML 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Adds a directory exclusion to Windows Defender 7->43 11 06082022,pdf.exe 15 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 27 api.telegram.org 149.154.167.220, 443, 49748, 49756 TELEGRAMRU United Kingdom 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 06:09:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqhs32lye3kwxlrmjlzrzua4jnufcvbtsq4rrly7fcejlb72cpyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00509d2de60dcdf523ea44b90e5dbbb510f6298bcd9810686ea625d33160176e
AgentTesla
16b1cff94d925182e95124fa432b55cc290fc81d9480493b3ff09e139eb0da6c
AgentTesla
2d953bacc08078b0e943d0bbaa249b546c2ba4bd52d321b6309a9cb2351789b8
AgentTesla
32252e51624f449f015636763feb4a6eaaea3f7ba436a217d9d1aae348529de7
AgentTesla
48edd19f150f6864d5179240e15c60af024d1e18ed34736abcdd59b1c636412b
AgentTesla
5867949f46108ef444395ab2eebc994b0f48867e98313ecd5d57901fa8ab5acd
AgentTesla
5a32cc367669d0ab7fd55f6262fddf6395bfe71124683f15bf8f1497eb5d4a42
AgentTesla
b0e427b8e2db98edeea688cda0c6b0e33f936fae3a7b09b529a85a6190083df4
AgentTesla
e88dcfdcdd55c9c3d34192b4670110e6277aee2eb99310a1cd4f5059709466bc
AgentTesla
+ 17'395 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220608-gwfgrageb5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5511781308:AAErVun6zYTGbB-eAQSqQ9eKk2k67n-ILNw/sendDocument
Unpacked files
SH256 hash:
03456aec87131db7729b4c7bbc2cdc1f4128d00e283fc4ac7e127cda6fb5e8f4
MD5 hash:
c6520935b20427767109fa20161666b0
SHA1 hash:
e51db6f19c1043c8c06590cfab82b87d17171d36
Link:
https://www.unpac.me/results/a4c96beb-cc73-46c9-94fa-38b94a770cf8/
SH256 hash:
36b93029c0e36927e290f732feba9023428c6605b393328cc7768fd6ba5462c5
MD5 hash:
5e8ee3c7c5c423076363a3428eab86b9
SHA1 hash:
4d143b0b6b5d81dcd86665adf0b02dcd225adce8
Link:
https://www.unpac.me/results/a4c96beb-cc73-46c9-94fa-38b94a770cf8/
SH256 hash:
26800162f60a13856572a61627196f186ef78de1b6b602b1b1bec765dba0789a
MD5 hash:
9d94341d563b5e40dae936ee234f26ab
SHA1 hash:
33ccbe97b3c40d8cc6651bee672b0043ee010814
Link:
https://www.unpac.me/results/a4c96beb-cc73-46c9-94fa-38b94a770cf8/
SH256 hash:
4b3059a1fcd6c58c7fc4e574766133e89e95cb0fe6631b7f4aee664370c2571d
MD5 hash:
97f6ddc9c7e648e589849d8d6466bc18
SHA1 hash:
1104888244c872d5726728e0cb05ae6edaabf2bf
Link:
https://www.unpac.me/results/a4c96beb-cc73-46c9-94fa-38b94a770cf8/
SH256 hash:
4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1
MD5 hash:
836cecd8d1e2e7c9146f9349209a9556
SHA1 hash:
ce59437da47303a25b606870fa8fdf0568144efb
Link:
https://www.unpac.me/results/a4c96beb-cc73-46c9-94fa-38b94a770cf8/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c0f2de97826/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277619/

Comments