MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c5fed31576f3794c65c90668da4380ae9f16b6552eb2e820d8a7fb1cc98e89f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c5fed31576f3794c65c90668da4380ae9f16b6552eb2e820d8a7fb1cc98e89f
SHA3-384 hash: 5223b0e96a91ecfb292ee596eb6b090a8c14d1a266abe4e22de8d6e895bda4f4c37d89fb33b10e260c48e9e07c18dba7
SHA1 hash: c4dbf6e17f4070fc4fccc7d6dcd3f3d921760918
MD5 hash: d24074406e308f8af4f11577682c4230
humanhash: glucose-lemon-alaska-jig
File name:d24074406e308f8af4f11577682c4230
Download: download sample
Signature AgentTesla
Create hunting rule
File size:923'136 bytes
First seen:2022-08-22 08:43:02 UTC
Last seen:2022-08-22 10:51:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:afEWcBe9vJF1zxqEs9Ae/snLkhlOzoaJiHu+ZZm/+Fe5KIVHtDY2:SEvBIv3GEkAe/snLlzwOMZm/+FeQyNb
Threatray 18'730 similar samples on MalwareBazaar
TLSH T1C115DFBD6BAA4506DD6E44B4D0E482541673E816322FEFCFF983A4E90E363FC4106663
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f72e98b1b9dccecf (17 x AgentTesla, 16 x SnakeKeylogger, 3 x Formbook)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
45.doc
Verdict:
Malicious activity
Analysis date:
2022-08-22 06:58:26 UTC
Tags:
trojan opendir exploit CVE-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/17bc0d2c-6488-4989-98c8-0ea5b80f86d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300177/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.21392.24959.27541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6303421f393b1c8c47034112/reports/f4d30667-db71-4a09-b76e-20439f679448/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/38db884e-0f35-4963-bae1-9dae91ab62ea
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055388
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 687905 Sample: RzNYM7YvjV Startdate: 22/08/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 5 other signatures 2->49 6 RzNYM7YvjV.exe 3 2->6         started        10 InxbcD.exe 3 2->10         started        12 InxbcD.exe 2->12         started        process3 file4 21 C:\Users\user\AppData\...\RzNYM7YvjV.exe.log, ASCII 6->21 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 55 Injects a PE file into a foreign processes 6->55 14 RzNYM7YvjV.exe 2 5 6->14         started        57 Machine Learning detection for dropped file 10->57 19 InxbcD.exe 2 10->19         started        signatures5 process6 dnsIp7 27 us2.smtp.mailhostbox.com 208.91.198.143, 49710, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->27 29 192.168.2.1 unknown unknown 14->29 23 C:\Users\user\AppData\Roaming\...\InxbcD.exe, PE32 14->23 dropped 25 C:\Users\user\...\InxbcD.exe:Zone.Identifier, ASCII 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 31 208.91.199.224, 49718, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->31 39 Tries to harvest and steal ftp login credentials 19->39 41 Tries to harvest and steal browser information (history, passwords, etc) 19->41 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c5fed31576f3794c65c90668da4380ae9f16b6552eb2e820d8a7fb1cc98e89f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 08:44:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrp62mkxn43zjrs4sbti3jbyblu7c23fklvs5aqnrj73dtey5cpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba
AgentTesla
456b668f6150315e658d825afa5ac2e6aaaeaeb36b9fdc8dfed080bec820b2fa
AgentTesla
9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d
AgentTesla
a5bfb96e7da47e2d6e67949fe127160a037d082cdeaa7913815aa63bf939fab7
AgentTesla
b484edef2132ebb9af301e05295fd56bc7298db9fbb8c6ce43b6297950b0e4e2
AgentTesla
ebdbd8487dfdaebc34214de4e2f6fdfc5b5cfb30b9fa98ca9269a4cfae16cb93
AgentTesla
f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212
AgentTesla
f8f3a24e97b0c9e4941baab62a4eeb64b9cc7e82ad97398b95b58fbf1289fb24
AgentTesla
+ 18'720 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220822-kmmfgsddhm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ceda93fdfce3ad8e4f800d4f2d940d793b68b4b0b254b652bf42e13dbd189ba7
MD5 hash:
786afe844ec1723b635cace747b60efd
SHA1 hash:
fa647a584a7fcad392147a182e3a2435b3ad5bb9
Link:
https://www.unpac.me/results/af498cce-3396-4d8d-b0c0-dd20ca672d46/
SH256 hash:
e5e2c0b4efbb51c8be882b60311ae745323b01638858d711660cbd679e2632ec
MD5 hash:
3c581e7d2a3ba45c884bfe2ad3c5f128
SHA1 hash:
8c180fb7369a0e5796f3d6ba5d616082e71bb399
Link:
https://www.unpac.me/results/af498cce-3396-4d8d-b0c0-dd20ca672d46/
SH256 hash:
18af42f0bb967523f6b0977c3609272d006b0122b15cfe014f62bd81a16633ec
MD5 hash:
648794447bf3192c8cb30d54a38434eb
SHA1 hash:
84cd3811029280c731180549cdc05c37e9a9b9e0
Link:
https://www.unpac.me/results/af498cce-3396-4d8d-b0c0-dd20ca672d46/
SH256 hash:
5ea44bd6bf2685f9703d4a1f0fe8e8be8e95e86f09c385927ba813abd0b43a47
MD5 hash:
2ba2e530301d0871274c00d206e0fb2d
SHA1 hash:
2fc39c45b405bb7d1f7dc4cab3e95ba12e744ad1
Link:
https://www.unpac.me/results/af498cce-3396-4d8d-b0c0-dd20ca672d46/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/af498cce-3396-4d8d-b0c0-dd20ca672d46/
SH256 hash:
4c5fed31576f3794c65c90668da4380ae9f16b6552eb2e820d8a7fb1cc98e89f
MD5 hash:
d24074406e308f8af4f11577682c4230
SHA1 hash:
c4dbf6e17f4070fc4fccc7d6dcd3f3d921760918
Link:
https://www.unpac.me/results/af498cce-3396-4d8d-b0c0-dd20ca672d46/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c5fed31576f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c5fed31576f3794c65c90668da4380ae9f16b6552eb2e820d8a7fb1cc98e89f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4c5fed31576f3794c65c90668da4380ae9f16b6552eb2e820d8a7fb1cc98e89f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2275528/
Cape
Cape
https://www.capesandbox.com/analysis/300177/

Comments


Avatar
zbet commented on 2022-08-22 08:43:08 UTC

url : hxxp://23.95.122.90/45/vbc.exe