MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 17 File information Comments

SHA256 hash:	4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0
SHA3-384 hash:	1ec21768044dc583cb8b4aff68e5655ec8f522eee8314b4ca51e02776e5ccec7e81a1395eaed6484614823074ea73a80
SHA1 hash:	96f7e4438a1fc56f107f90503d5508c43147581c
MD5 hash:	6f1ab9d285df09ed31df2497a528268d
humanhash:	football-artist-maryland-item
File name:	DHL AWB TRACKING DETAILS.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	635'904 bytes
First seen:	2024-03-15 08:23:23 UTC
Last seen:	2024-03-15 10:26:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:SipMNBLA0CDMTGZMNzjwmm8ftxvOTUYHboSe1tnYsKdP:SiSNBE0CDoGRf8/abne1hYN
Threatray	662 similar samples on MalwareBazaar
TLSH	T134D42335B7DA73A0ECF507B41E2372810FB9F2199031897C24C67DB814BA33E1E5A5A9
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

Intelligence

File Origin

# of uploads :

# of downloads :

343

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0.exe

Verdict:

Malicious activity

Analysis date:

2024-03-15 08:44:16 UTC

Tags:

evasion agenttesla stealer

Link:

https://app.any.run/tasks/b3e91ef7-b530-4e64-8304-34adcb397481

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/479116/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/adcb33e3-d36d-4882-9aaa-e76bc2950ac5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1409435

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-03-15 02:14:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsn7hmzndcohllwprp2spocfz6xkstckzqyewmyksjpuliad7gya._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

11d7212106c1e7d65ca5b3a3d6c197775e224c151b89900de265e6efcbb68322

AgentTesla

16e3a82a5c0094537926cf5286fdc10fdef7ca5984ff63009582125a8efa1546

AgentTesla

b224c93b27774068d0c1a5e0ba7e744ff382c96ef02b2626fd434d1686f35e3a

AgentTesla

+ 652 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/240315-kaqblsbh7y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

b18c02279b5016ab433cb11fc68212055966fbe81bb7d7f10d526fb2b61d6454

MD5 hash:

149f6e1717a06c65c1f12b5b06940fa3

SHA1 hash:

d725ed17da37f999989da683ac1f53d50bb217d5

Link:

https://www.unpac.me/results/0bef7e8d-9ba1-414e-aea7-a06b7f8efb38/

SH256 hash:

68e433364bc17a5e82a50d8cb9340744972ebb6af93352d6247ae2d7a22a1852

MD5 hash:

d7db9c6389c472db5dc849bce28f14fe

SHA1 hash:

cdd4e1637aab74c4f35e382f36435753cd3020e9

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/0bef7e8d-9ba1-414e-aea7-a06b7f8efb38/

Parent samples :

4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0
6c37a2a936f9bbfd57948d3563b2fde3a492cf72904889d85bafcce2e4ca3b9d
951f86d33d0cae5be953aa0d77048b3237eaad2f8dc067522a592e14862db975
a97377cfba7cbb86a985eb4820a3642b8d72693627a7321a6d1cdb859e3e6265
cbf47edce01777d05a17e93ee52242f4912c8eb1c02f0622ecf5c0f07d27f3d6
5089e8bf32ebe54189b052eab160714b1e4ebe9808356fbb42e40721a1d4213b
b0559f0033d94c40566878458f4be7871acbf4e2e17e75884170c853f8144493
87b29de4ec8f08c9a232a8e16ae7bd15c6a613eb527c0d753d6cd6a865ae9b65
601fbc5c07995ae23253ab8b45b790f7bd35305b4282fde19a3eedf158e60d07
377df318502b404bf7b0a8cb059aa3eba749e06b366e13c393ebfd588b4a6b7b
b74b2f6493fc4b4c58b134f919a464adfc5f923a0804a9cf3d4f592713d65ec8
44606c694b22eeb4c7fcf2059db2d83125e8f5f8c2df933fe4cae0ff8f70f977
62b28d1938dadd8adb22dd0351b27cd9a4b4e397bdca25e9d190cf9a831bd0f1
2c38956763bb9c8df8d9eb32a8f30252e3e4ac0249f650f609d0036a16e01b9e
c89dbc33b2bed22fe68911bf6e23eb613cebc22f868290d4576822e26092798f
411306e63dfc6d07f24c7af59ba1b0ad39825694ad8c34453edc34d0855e3c1b
3b0246cc2beaacf7c22ab27377a14e9d5cba3dc5b514b4f4a5e8c2eb9c20f612
e2697884e3f33ccdb87e6d1374d6e48aba0d729d0af554694c435b00099f18c5
9cf5a62a4f7dd38bd1810c9e6bbcdd36581e1c7872bb8bbfd223f36a5d6a95ea
d35aa260122d0e628100a616e9a144fcea5dc667f4108fe847fcf49db479af90
cfda50dfa3a323daf2ada9dadf993a2fc35587f288da3450b69b71e1c17b43e1
2a60bbd88d84157bbebd77c9f586a6beb3f6667ca2da5df0e5ccc8a7fdda6dab

SH256 hash:

11403c00cf81290554756c65ede603e61fdf717ad129f4e72aaa8cd1e1e58061

MD5 hash:

54eccd0719a7a9837e52e1dddfb991da

SHA1 hash:

c98e58034ad1ccc2e6692a99f2e4ab8b18e618c1

Link:

https://www.unpac.me/results/0bef7e8d-9ba1-414e-aea7-a06b7f8efb38/

SH256 hash:

c10c9b0882bac6f788f48b4dabe3291b14e639e650f2b9fcb0bc174ac92ae02b

MD5 hash:

7c7fb6daa78beb69128991ff893143ed

SHA1 hash:

c01bb99984b12b84129db80eae1d5d8341a358e2

Link:

https://www.unpac.me/results/0bef7e8d-9ba1-414e-aea7-a06b7f8efb38/

SH256 hash:

c7b65c024c00424121be603e04c3032bfb1415c2bb12dadcf03c34ee72321c58

MD5 hash:

1c54147f268ac0afa3a41e7c89a79162

SHA1 hash:

221ff832887f8be905fd555f973422b587bacefb

Link:

https://www.unpac.me/results/0bef7e8d-9ba1-414e-aea7-a06b7f8efb38/

SH256 hash:

4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0

MD5 hash:

6f1ab9d285df09ed31df2497a528268d

SHA1 hash:

96f7e4438a1fc56f107f90503d5508c43147581c

Link:

https://www.unpac.me/results/0bef7e8d-9ba1-414e-aea7-a06b7f8efb38/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c9bf3b32d18/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/4c9bf3b32d189c75aecf8bf527b845cfaea94c4acc304b330a925f45a003f9b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/479116/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample