MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31
SHA3-384 hash: 475c01adb240e02d07179759e9cc79d0219f26c4ac7f227acd68e08c83944e006b1a3197bf612f9d3692f4caf538e1de
SHA1 hash: 3696a691c977e0ee17daf4fdae64afe223577f48
MD5 hash: f85acd8628585ab8df5c045534359cd8
humanhash: blue-edward-hot-michigan
File name:f85acd8628585ab8df5c045534359cd8
Download: download sample
Signature AgentTesla
Create hunting rule
File size:508'928 bytes
First seen:2022-11-18 23:48:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:pPxaK900qz/Fsv5z3iDyW535Si3HO/9qxqoUxT06NNvq5EmnsZM:j9J8/uxyZVH3HOlmqrLS5nQM
Threatray 612 similar samples on MalwareBazaar
TLSH T11BB4029E6CCC6D35EB4A8A748A05819FFB73F344DE5E0A6064A8C322FD19DD7350B4A1
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry HA-22-28199 22-077.xls
Verdict:
Malicious activity
Analysis date:
2022-11-18 11:47:19 UTC
Tags:
macros opendir loader
Link:
https://app.any.run/tasks/939c3c11-87c2-491e-b4bd-28762736beeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335944/
Detection(s):
SecuriteInfo.com.Malware.PDB-43.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Creating a window
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637819f207c3f5e84a01eab7/reports/0c7c2114-c601-4e40-ba5a-cff9680fa7f8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3bc62a80-1a9d-4372-b128-f4ca1083fe68
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1116891
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 10:23:14 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwt7ip5haeq345y2gbe7pqm6qzbtfzjrd4ko4hvmf2rf2u2j34yq._file
Verdict:
malicious
Similar samples:
1ee453a94d90e6bd3615d306d7139c3abb5b7ea4f9f817a10218606c4aadcddf
AgentTesla
2c965072de3cd60d9dc8c066b9e5bd3130e0d03a0502e9598dc5493b2297f290
AgentTesla
38841cf99acbad325533235562fb6502b995a2a32e43315cf0c9ed3f6f394590
AgentTesla
55cf18f4491e2db87c5612b2501dbbd3acd9c6460b1863ab56f5d9209cbecbdc
AgentTesla
7265ba924abcc035e8263873f5ed19842a0ad724b408fb816e7c1b64768b0cf0
AgentTesla
a43a510468f0f694f75cee68d55c019f5de3f72b3627e3e3b8718d8afb2281bb
AgentTesla
db9bb4ecdc01a72d728f9fc7e522848ba7afe64bfa27516f0505a179db2f7345
AgentTesla
fed3b772542834aba36e33587e360877e9b76c186a937e39454119c757014763
AgentTesla
+ 602 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221118-3tzy9sdd48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0727042b-fd4e-44fc-89a4-740feb571b3a
Unpacked files
SH256 hash:
4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31
MD5 hash:
f85acd8628585ab8df5c045534359cd8
SHA1 hash:
3696a691c977e0ee17daf4fdae64afe223577f48
Link:
https://www.unpac.me/results/f6db5628-b9cb-406d-8121-96745793de87/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4da7f43fa701/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2425958/
Cape
Cape
https://www.capesandbox.com/analysis/335944/

Comments


Avatar
zbet commented on 2022-11-18 23:48:49 UTC

url : hxxp://103.180.133.133/froffice3665/vbc.exe