MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25
SHA3-384 hash: 8a5fd9780a22e35141aebe2ef2c78f1f9702f59ab53285a20f460a8b688485167c5fccb1cb0cc152f3656262a4ac4fb0
SHA1 hash: 73a0452fbc80e1d7782888e28c46e49d7e01ebd1
MD5 hash: 6c4a9f7c8893254e10bc2217cec26aef
humanhash: don-hot-quiet-quiet
File name:01_file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'872'384 bytes
First seen:2020-11-14 11:53:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:1i3K0mpPA9f35LxOIXOwgB3rDU1YQao6oF1UtR2AAnV+ZqWIemSp6c1LyC8YfdGc:sA4OpUn0EqCSiyyjK
Threatray 1'180 similar samples on MalwareBazaar
TLSH E28534D8744EA6B783C9E33F0A5788BFA8F1799CCA47A9888D7526F5A71132C3F14450
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534783
Signature
.NET source code contains very large array initializations
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316492 Sample: 01_file.exe Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected AgentTesla 2->63 65 6 other signatures 2->65 6 01_file.exe 3 4 2->6         started        10 01_file.exe 2 2->10         started        12 01_file.exe 2->12         started        14 3 other processes 2->14 process3 file4 49 C:\Users\user\AppData\Roaming\...\01_file.exe, PE32 6->49 dropped 51 C:\Users\user\...\01_file.exe:Zone.Identifier, ASCII 6->51 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->67 69 Creates an undocumented autostart registry key 6->69 71 Drops PE files to the startup folder 6->71 73 Contains functionality to hide a thread from the debugger 6->73 16 RegSvcs.exe 2 6->16         started        19 WerFault.exe 23 9 6->19         started        75 Writes to foreign memory regions 10->75 77 Hides threads from debuggers 10->77 79 Injects a PE file into a foreign processes 10->79 22 WerFault.exe 10->22         started        25 RegSvcs.exe 10->25         started        27 WerFault.exe 12->27         started        33 2 other processes 12->33 81 Creates autostart registry keys with suspicious names 14->81 83 Creates multiple autostart registry keys 14->83 29 WerFault.exe 14->29         started        31 WerFault.exe 14->31         started        35 4 other processes 14->35 signatures5 process6 dnsIp7 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->57 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->37 dropped 53 192.168.2.1 unknown unknown 22->53 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 31->45 dropped 47 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 35->47 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 01:49:52 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrecwisfnxzog4ig2wniv7wm323tn3ujwe5t3zuwrlhof46ot4sq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f15aec57a52535ae678c8b3e900a4e2bab105d1676eb097ebecde04914aee1d
AgentTesla
1d6004838e32ca7b5763964c99d3c92fc591c7b21d0de3595a7da27794ec5ab6
AgentTesla
29890b01a73b6721cf2e80232cc366b95be2eeb81bd7beb72372cd3ae4f05293
AgentTesla
3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675
AgentTesla
3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1
AgentTesla
4e0f1a66466311d8610b4610fc7ce3c8ea4bb8b71528035cbe3ff2204c3dacd3
AgentTesla
590d1a6a1fa00812284d4f5e4f47cb34d4965c79bfc9ec1741f2a8e14967719b
AgentTesla
789908dccb3fef2eaf91f04e9af718d53d58da605aaf092b549efccc869dff12
AgentTesla
93bb62774d2359778e34985d5c7fc6be51f91e48706509b8698714f0b5f46a46
AgentTesla
feb639dabb33ddc8d08dc3065a7a869225419d52be2aa0ec247377607a426ef3
AgentTesla
+ 1'170 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201114-lsqx99ptfx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25
MD5 hash:
6c4a9f7c8893254e10bc2217cec26aef
SHA1 hash:
73a0452fbc80e1d7782888e28c46e49d7e01ebd1
Link:
https://www.unpac.me/results/24018607-5165-4b80-9377-9425322a97e2/
SH256 hash:
94865ca1af5e20a2380ad69d926dca42b0f3203b43c81c944600d6f4153ef648
MD5 hash:
cb21a41120cbf56a2cf3fb50ac019fa3
SHA1 hash:
b5c0804c43d1214bfea5c899c7e1e2ef64a04b86
Link:
https://www.unpac.me/results/24018607-5165-4b80-9377-9425322a97e2/
SH256 hash:
a5aee6f07452d6dff64997503ff0745ad692db6d7a42c314e7dd746c5cfdc882
MD5 hash:
e212814e0cdd2b42c93e91d2e288772c
SHA1 hash:
e9225ae24f41d69b5315fba7f16fdc999dce11f9
Link:
https://www.unpac.me/results/24018607-5165-4b80-9377-9425322a97e2/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Visual Basic Script (vbs) vbs 3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675

AgentTesla

Executable exe 4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675

Comments