MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776
SHA3-384 hash: 824c1cdf89c9723ce94c184e848440f0c202f26613bebcb864f411dc3eb232a2105a87205a58bc9a31ccbd64b0fa8db5
SHA1 hash: 7a431e107cb79ad5ffc6e5beed353623e989a1b7
MD5 hash: ca428a10b9c78d3da54b616dafb627ac
humanhash: sixteen-failed-mississippi-football
File name:4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'003'520 bytes
First seen:2023-03-06 13:54:00 UTC
Last seen:2023-03-06 15:31:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:sk9JiT/gnOmVT911111111111111coKu2h+HuyPYF:wgnz11111111111111Iu2hqPY
Threatray 5 similar samples on MalwareBazaar
TLSH T1C525E116BB41EB61DA2D8A34C12211F003F0AF9BE051DB5F5CC53ED57A72BAEA70A1C5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 7acec494e47c197d (1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776
Verdict:
Malicious activity
Analysis date:
2023-03-06 13:53:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97c2488d-21dd-45c6-9b60-76b10d7b9d48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372015/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65631513.7437.26887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6405f07b5961badabfa9bc1e/reports/5761d37c-4c82-4cdd-87af-22b2c8e5e9be/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OutSteel
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd660f0f-8051-4f9f-a5eb-3d7ae1be7d23
Result
Threat name:
DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1188051
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820929 Sample: oW9yVmYz8B.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 84 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected DarkTortilla Crypter 2->47 49 2 other signatures 2->49 7 oW9yVmYz8B.exe 15 3 2->7         started        process3 dnsIp4 41 www.google.com 142.250.186.132, 443, 49696 GOOGLEUS United States 7->41 31 C:\Users\user\AppData\...\oW9yVmYz8B.exe.log, ASCII 7->31 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->51 12 cmd.exe 1 7->12         started        15 cmd.exe 3 7->15         started        file5 signatures6 process7 file8 53 Uses ping.exe to sleep 12->53 55 Uses ping.exe to check the status of other devices and networks 12->55 18 PING.EXE 1 12->18         started        21 conhost.exe 12->21         started        23 reg.exe 1 1 12->23         started        33 C:\Users\user\AppData\Roaming\rev.exe, PE32 15->33 dropped 35 C:\Users\user\...\rev.exe:Zone.Identifier, ASCII 15->35 dropped 25 conhost.exe 15->25         started        27 PING.EXE 1 15->27         started        29 PING.EXE 1 15->29         started        signatures9 process10 dnsIp11 37 127.0.0.1 unknown unknown 18->37 39 192.168.2.1 unknown unknown 18->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 01:06:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
73
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqqssgtisdtisgbr6ej4jc2aqv5hxifpb4j26mbrijnydipsy53a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd
AgentTesla
76c4bd3211cad91689f1adf14cdbff0773a8e7ceb0271b79fd010a90eaa1c7ff
AgentTesla
79379c8d69f390ddf78257d47600c589542fd4755975abc462c702a5a5eae07f
AgentTesla
b83a1d3d0f3d6a9563dc91ef5b450405982b4606b87ce59e8cb4fa3a0a0589d1
AgentTesla
fb7bcd7984c61451e3728b5e5e877fb69984e1e82b665a4a085e5eb3d6f13dd1
AgentTesla
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230306-q7jg8aca71/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776
MD5 hash:
ca428a10b9c78d3da54b616dafb627ac
SHA1 hash:
7a431e107cb79ad5ffc6e5beed353623e989a1b7
Link:
https://www.unpac.me/results/b7765922-b59e-406c-ba14-e27270554045/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c21291a6890/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372015/

Comments