MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d96f10c0d981a5016b8ce1d1406f01e9edd3dba186eef964b270100f9ae3831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d96f10c0d981a5016b8ce1d1406f01e9edd3dba186eef964b270100f9ae3831
SHA3-384 hash: 22d240c1489d85338b2143110476196443936888c634e03e292b7d8a87e9445a866ba64fa789926bf85bc32f7847a7db
SHA1 hash: f1d5d3d265363c5bf3a047f3e18331d0f23345ea
MD5 hash: 7d16dbc53dc048f3322d6090f93f5f74
humanhash: wolfram-maine-snake-diet
File name:7d16dbc53dc048f3322d6090f93f5f74.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:546'910 bytes
First seen:2023-01-12 16:20:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:yY6k+MgdM6Lfuacge46rNeShoyL5khPwwJU7rS9ZNmVF6:yY6vMg+Nge46rNeShVL5kZwwJ99/mK
Threatray 26'016 similar samples on MalwareBazaar
TLSH T132C401143728F767EA421DB06926835552B19A853C2B170373FDBABC9CB96C67C0F362
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a29adaeadadac6a6 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d16dbc53dc048f3322d6090f93f5f74.exe
Verdict:
Malicious activity
Analysis date:
2023-01-12 16:21:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cae2c0b6-b5cd-4afd-b683-2b10648dbc6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352358/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64936863.15797.18125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c03372aa212e9739a22eb3/reports/99ab6615-905c-408b-851a-c747f5035ea4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18595bbf-33c5-43f3-ad61-5625da9ec133
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1150566
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d96f10c0d981a5016b8ce1d1406f01e9edd3dba186eef964b270100f9ae3831/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2023-01-12 08:17:42 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 41 (39.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwlpcdantanfafvyzyoribxqd2pn2pn2dbxo7fsle4aqb6nohayq._file
Verdict:
malicious
Similar samples:
3e61d72e8e7853b7c4a966cdee9339bfe33b7ae33577c408cdfbca1d951335b9
AgentTesla
72d186da41f7d6979ff9b012e4e5b5581da86946d60ffbc5870cc7b99dce192a
AgentTesla
7c63a5117c732c2de79481785027a4ae761b9f33d8b1f6da7f89854042c91594
AgentTesla
851f52d27f15eb052fdaef1c0cdf91c9642d5b3c170a62a56c67d5b1b24d0c9f
AgentTesla
8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236
AgentTesla
8e9e4862dfc8b989cc15a92b9c05350ab27dae772f5b808bc62d1b70ffb80662
AgentTesla
a336a946f7f2dc33357ee8a60016d5a0a3a16c611c7d900e2b19b774a73f93c6
AgentTesla
d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
AgentTesla
f2d560f960b4ab660621fef4d25d6b83b27da3deb53c1b0159c8abbc935a0ce4
AgentTesla
+ 26'006 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230112-ttnrkacd6s/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e7959de8-22eb-41f5-9ea8-ef4b092c1af5
Unpacked files
SH256 hash:
662c9dcfad78765dc89ebda74df3d2eb9bf55e23a5149052250da7b66cacc4b6
MD5 hash:
1944ce8cd6a87099ac956d6c6c54ef70
SHA1 hash:
7c3d3f49b8d5418094f305b5021ed362f3207e96
Link:
https://www.unpac.me/results/889dc62f-8c78-40f3-a24d-96f0b09625e5/
SH256 hash:
26b4baee515a008fa92681ec3c47ed5f24af6add46766b8627a5f8541ab9fb21
MD5 hash:
d73a35c321bd46387fb83e1ec261dde9
SHA1 hash:
3dec4281c6398b89eff6a2923d7a8f548fb77287
Link:
https://www.unpac.me/results/889dc62f-8c78-40f3-a24d-96f0b09625e5/
SH256 hash:
e0eefa0ee1fc7b8d94d74e2e832baa5ca503a404677e63a2da8083e76c1d4832
MD5 hash:
4f7af90aed72042f509aff9b7d694ca4
SHA1 hash:
4baa7316b82901b2fb857fc9fd19daae2a88199c
Link:
https://www.unpac.me/results/889dc62f-8c78-40f3-a24d-96f0b09625e5/
SH256 hash:
4d96f10c0d981a5016b8ce1d1406f01e9edd3dba186eef964b270100f9ae3831
MD5 hash:
7d16dbc53dc048f3322d6090f93f5f74
SHA1 hash:
f1d5d3d265363c5bf3a047f3e18331d0f23345ea
Link:
https://www.unpac.me/results/889dc62f-8c78-40f3-a24d-96f0b09625e5/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d96f10c0d98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d96f10c0d981a5016b8ce1d1406f01e9edd3dba186eef964b270100f9ae3831

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4d96f10c0d981a5016b8ce1d1406f01e9edd3dba186eef964b270100f9ae3831

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2283205/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/352358/

Comments