MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c
SHA3-384 hash: 2596beeb3bdc0edbbbb5adab47524a218fe6102a4aceac2cfea3448fab6bb03c5a58228df22aea4886331d5e8536e50c
SHA1 hash: 0638d88bb7e6c769e37b6b74a9a9feca4c300cf3
MD5 hash: 246a2c0d71e7ef9dbcc900547e7be591
humanhash: yankee-utah-diet-uncle
File name:TT Application form.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:648'704 bytes
First seen:2023-04-28 19:04:56 UTC
Last seen:2023-05-04 09:43:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:pE6Y1//BgKkVzYiTnlSWnk6/Ws78LVq+hLXm/egQVtS:pEz1eHVBnlXkoizUZ
Threatray 577 similar samples on MalwareBazaar
TLSH T17FD4AD535065CD0FFE2AEBB091B4FF55A6F1F07364D194242BB9218ACBA9F011E8C52E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
294
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT Application form.exe
Verdict:
Malicious activity
Analysis date:
2023-04-28 19:06:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/368599ef-1352-447d-9ea1-bb30ef3913da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385524/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/644c18df1facab193c66a4bd/reports/778e38ff-1534-4db0-afa2-078c700dfec5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76aab05c-31e7-4b7f-a02e-fd7dfa2bbaeb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1223082
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 856035 Sample: TT_Application_form.exe Startdate: 28/04/2023 Architecture: WINDOWS Score: 100 42 mail.modelinfra.com 2->42 48 Found malware configuration 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 4 other signatures 2->54 8 TT_Application_form.exe 7 2->8         started        12 NsFThSDsSuY.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...34sFThSDsSuY.exe, PE32 8->34 dropped 36 C:\Users\...36sFThSDsSuY.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmpB9DE.tmp, XML 8->38 dropped 40 C:\Users\user\...\TT_Application_form.exe.log, ASCII 8->40 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 14 TT_Application_form.exe 4 8->14         started        18 powershell.exe 19 8->18         started        20 schtasks.exe 1 8->20         started        22 TT_Application_form.exe 8->22         started        62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Injects a PE file into a foreign processes 12->66 24 NsFThSDsSuY.exe 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 44 mail.modelinfra.com 159.89.168.198, 49700, 49703, 587 DIGITALOCEAN-ASNUS United States 14->44 46 x1.i.lencr.org 14->46 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->68 70 Tries to steal Mail credentials (via file / registry access) 24->70 72 Tries to harvest and steal browser information (history, passwords, etc) 24->72 32 conhost.exe 26->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 09:08:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=juc6kojvahy22c4o66x25d3ynxkgjs2sp5kb4l32jlwah7326nga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
33b5ccf1b3b48e22ab607320e0bb143ad0ac2a9770b0e385c0365366de472ceb
AgentTesla
66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303
AgentTesla
814e073523aed94d4433e76ef0d0ecaa94224313fb4e54e6716b26e22f06e5ac
AgentTesla
9889a91e24a729669aa276f27617f5169fd9d8f0358be427ed4e4cd9bb8e5dab
AgentTesla
befc3edb5d02c2d1350dfea27e2ae101704b5c18827e9dba61afe446ff371730
AgentTesla
dc9592028314f25ba440ef8629468e39714188cdd0d681e76d2e8222bec8978c
AgentTesla
dce7af2c2162f2fa2be0ca63706446e0b3c4bebdf1ae8791f22cb76ca7aa375c
AgentTesla
de567e5c1f4968bfb083ffcb111e1d0613780a47c58767af65fbd90c27507b4b
AgentTesla
eed1e8c36a418b60ba36641bb30f7bab473e20421b8875eff0dd790a666f8825
AgentTesla
f54df2996b5822d0fce462c7675e0a9522d05664f45fb278cff05617b8de7b9c
AgentTesla
+ 567 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230428-xrg3sahg6x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/132937d5-9bfa-4ce4-8aec-65fc329f57f6/
SH256 hash:
3af0265816a895d074584c98e7ff6a93990fc0657faf84ddd959706640bd023d
MD5 hash:
6bb640a27431bef4c59d1956799540b4
SHA1 hash:
e9c99abb17c1cc43696663be8995045c6f97a63c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/132937d5-9bfa-4ce4-8aec-65fc329f57f6/
Parent samples :
d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e
dfb7a1be58446a935967d834e0374d948ed2a5506c6075343b0375614a4a6504
4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c
05a6e74beef92dc711c25b3b01565f9b1a36f08f914567e467e5a47dc2d1087f
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/132937d5-9bfa-4ce4-8aec-65fc329f57f6/
SH256 hash:
5a0fcca64d497b7e87e0c348552c9680b6f556aeb5ef9d0a873404af5e5eeee0
MD5 hash:
d64ab4ee6bde8d96ada094facbd7a986
SHA1 hash:
9d51a133c2b25aab6965130ce07a97589ba1101a
Link:
https://www.unpac.me/results/132937d5-9bfa-4ce4-8aec-65fc329f57f6/
SH256 hash:
49bf0d29bf4c77884c2af28dfff96db207bf6181f3c8c4f5b53085a5057848ef
MD5 hash:
02a673d487a3fedb0e0b5739c7818992
SHA1 hash:
6ce31fd504515363742ffae49b9f72fc29ce940c
Link:
https://www.unpac.me/results/132937d5-9bfa-4ce4-8aec-65fc329f57f6/
SH256 hash:
4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c
MD5 hash:
246a2c0d71e7ef9dbcc900547e7be591
SHA1 hash:
0638d88bb7e6c769e37b6b74a9a9feca4c300cf3
Link:
https://www.unpac.me/results/132937d5-9bfa-4ce4-8aec-65fc329f57f6/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d05e5393501/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/385524/

Comments