MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d662aa31227aa5a3d975fc14eba13cc85c328654852bda5587c69f24d14f8f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d662aa31227aa5a3d975fc14eba13cc85c328654852bda5587c69f24d14f8f2
SHA3-384 hash: 2c95667ff9f827104681ed7c505931f344a65e6c9359b9c57554fc57619eaad07f95226304e13ec9170416bbcbd40059
SHA1 hash: a2b0a3da764eaa6acc52ebd18116f5d56e39c47f
MD5 hash: 676f2a6e72c95a85f173122527520e5d
humanhash: island-carbon-arkansas-vermont
File name:676f2a6e72c95a85f173122527520e5d
Download: download sample
Signature AgentTesla
Create hunting rule
File size:219'136 bytes
First seen:2022-02-16 20:10:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:DwdqVH2x1qj0Ja6puViswMwtlxyBguIYAJ:DUS2MvauQNBlUtw
Threatray 14'592 similar samples on MalwareBazaar
TLSH T101241382A5FD678BF8D8563B9C1311C52770CA393FC22F614C5112BD2DA33BAEA66251
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.xlsx
Verdict:
Malicious activity
Analysis date:
2022-02-16 11:40:08 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan rat agenttesla stealer
Link:
https://app.any.run/tasks/c608d14e-492d-45e7-a463-41d8f2f7cb81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242057/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe mimikatz obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/620d5a5b875593a3ccd90258/reports/6d6f667a-5c8e-4963-b6cb-8645596788ab/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d82946a-44d9-43c2-a686-305e8a65283f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941171
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4d662aa31227aa5a3d975fc14eba13cc85c328654852bda5587c69f24d14f8f2/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-16 12:45:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvtcviyse6vfupmxl7au5oqtzsc4gkdfjbjl3jkypru7etiu7dza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
180a5d8c28bc4b365d42351b37869f1ab329a6e9c3c442aea122080c9e932dda
AgentTesla
465503db5e86acbee5f22c01c9e38c38bc3343823ccca8d0aec8ac6e0a51f81b
AgentTesla
4860fe0ef130905e083db85110fbe732cb74933dba0567d5b3aa509579f796a0
AgentTesla
91d6b1ee61fc676affdcead674c1d17c2d62f7aacc1a757e4071af6134fc2847
AgentTesla
b5347abcba9dfc9bdcf610bd8feee1128d9703de3b46f81d3767b9570c9b1bab
AgentTesla
c3d8b94147b34ce39db42864de50353bcb1da3889723a46c6244e53bd2bdda82
AgentTesla
c57fe1ed5d41144d82c9892c688982e7a649e4c3be7c130b48fbd13949448e7b
AgentTesla
c6e17d47f0103713c71fee5f81eb43518c37e1bdaa47d5da8e02cec124ad64c1
AgentTesla
+ 14'582 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220216-yx89wsceb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
http://agusanplantation.com/host/host/inc/3bf5ba6e6c7434.php
Unpacked files
SH256 hash:
43d63368ba5bbc8b63563d860de94a95831ab208e5e47728f184c7abc340fd6e
MD5 hash:
74b2e69d743346dd9dcb602c21c3d027
SHA1 hash:
4ae010a326b7e3594cb0e08562e5d9fd53997510
Link:
https://www.unpac.me/results/884aca4d-5688-462c-8f68-13953df205c6/
SH256 hash:
0eca1086a206398d9c5d24fcf5cbda95e380068db201096419b44c8de6fac73c
MD5 hash:
c300486501d448c0dfa967bad7bb665a
SHA1 hash:
7cea9dcfe72623834ce2741b9a9a7005dfd9338f
Link:
https://www.unpac.me/results/884aca4d-5688-462c-8f68-13953df205c6/
SH256 hash:
fb7e824c3e4ca860d531d632ce8257015fd66cee78c1d6621ef86fab44e5bdac
MD5 hash:
1578dc163712c12230d247abd1f67d0e
SHA1 hash:
7e21da9738d29417416be525ce90ec796192a5ba
Link:
https://www.unpac.me/results/884aca4d-5688-462c-8f68-13953df205c6/
SH256 hash:
4d662aa31227aa5a3d975fc14eba13cc85c328654852bda5587c69f24d14f8f2
MD5 hash:
676f2a6e72c95a85f173122527520e5d
SHA1 hash:
a2b0a3da764eaa6acc52ebd18116f5d56e39c47f
Link:
https://www.unpac.me/results/884aca4d-5688-462c-8f68-13953df205c6/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4d662aa31227/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4d662aa31227aa5a3d975fc14eba13cc85c328654852bda5587c69f24d14f8f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4d662aa31227aa5a3d975fc14eba13cc85c328654852bda5587c69f24d14f8f2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2045600/
Cape
Cape
https://www.capesandbox.com/analysis/242057/

Comments


Avatar
zbet commented on 2022-02-16 20:10:51 UTC

url : hxxp://103.89.88.117/ProgramFile/vbc.exe