MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
SHA3-384 hash: 9768541138d92d860ac87cd3c010fecae62beb90e049dd26d5c6f817240e97a83b8b67aa311bc014cd7cf54dc8ef17f1
SHA1 hash: 82592302006148b2771b3673097b68c9c3440f69
MD5 hash: 9d0c6c13702c13da1455bef20a31eb3b
humanhash: mockingbird-violet-lake-violet
File name:payment details.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:854'016 bytes
First seen:2023-08-03 15:43:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ed+3vSLeIJV1qTQ5x4JC92en/yQm8KiGp+0TqNd/5AWbqXdiEMTtndsOifVpEzSh:uteuag4JW2en/ZKp+YqNdx8NotndslA
Threatray 688 similar samples on MalwareBazaar
TLSH T12D05BFE47340E09EC857C975C8359D63A523615F9E1A920E2453BF8FBD2E3878A138E7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment details.exe
Verdict:
No threats detected
Analysis date:
2023-08-03 15:51:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aaa90716-64ea-4b0b-a4fc-a664da1585b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/440118/
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Dacic.84363E99.A.D275B197.25666.11726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64cbcb4a539838c2be521b16/reports/031913af-c3a0-4560-b38f-8fbec750bccf/overview
Verdict:
Malicious
Labled as:
DeepScan:Generic.Dacic.84363E99.A
Link:
https://www.hybrid-analysis.com/sample/4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0f0e053-f656-4bde-907c-bddafc99698d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1285216
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1285216 Sample: payment_details.exe Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 44 mail.alo.com.eg 2->44 46 api4.ipify.org 2->46 48 api.ipify.org 2->48 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 8 other signatures 2->60 8 payment_details.exe 7 2->8         started        12 dHFXilRHPiF.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\dHFXilRHPiF.exe, PE32 8->36 dropped 38 C:\Users\...\dHFXilRHPiF.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8923.tmp, XML 8->40 dropped 42 C:\Users\user\...\payment_details.exe.log, ASCII 8->42 dropped 62 Detected unpacking (changes PE section rights) 8->62 64 Detected unpacking (overwrites its own PE header) 8->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->66 74 2 other signatures 8->74 14 payment_details.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 dHFXilRHPiF.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 50 mail.alo.com.eg 160.153.131.152, 49714, 49719, 49721 GODADDY-AMSDE United States 14->50 52 api4.ipify.org 173.231.16.76, 443, 49708, 49720 WEBNXUS United States 14->52 76 Installs a global keyboard hook 14->76 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 13:58:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxjlccasekmr65szlsxjl4hdwr7vnmwo7bixp7xgg6rfgqmw37dq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1fbe5f912ec66d5c25ad0684a7fc431d87d9f04b47d45418d18821c1f29cdf06
AgentTesla
48eef18edcc14ccc129e3e475e15bb2f16b33e8acb70e0aac29670dd0ce68161
AgentTesla
683568d99336f284738255128c424498fe2bfac750f23f68c525f7cf66597eda
AgentTesla
696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae
AgentTesla
7b37b945add0e6c872027313e3e011bf368c5cd038d48d3f719e6f08927af861
AgentTesla
8696628a17e1c100ca8a740fed3bb539f6c4784bbb05657053f57ed208da77f8
AgentTesla
9c1dfb4fb5b62214e9a1095dcb5e70f742e184fec69e70718c2fb46332a830f4
AgentTesla
cf5b1fe7a9600b5f132475ef3586dccd40e8559e9637d3f9b20e73f55d77961d
AgentTesla
+ 678 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230803-s6g9waea36/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
19db798ae80c67c90332c7ff403215d52c369ed37b5db94b2a90ea4067be3cac
MD5 hash:
5a68e82226093acc95f476e0685a1628
SHA1 hash:
e8d397cea86e3a814bb4b44f1a69a57165ec2065
Link:
https://www.unpac.me/results/27f8733e-5f45-4954-925e-fea91a9d1b35/
SH256 hash:
9c065d3587fea79ad6725dd910acc13b6473eaa992dc837c30155c682f5a43fd
MD5 hash:
da48d1124a1cdfe345717b27036ff567
SHA1 hash:
b7b9f24b0ad259eff75a01b871fc30f746f36c3f
Link:
https://www.unpac.me/results/27f8733e-5f45-4954-925e-fea91a9d1b35/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/27f8733e-5f45-4954-925e-fea91a9d1b35/
SH256 hash:
a702d5f318193ec6ca36bb09c7a208b1ee670551523d89ac1e7a460ab41d7f92
MD5 hash:
c368fe70622a8da638c967e0c95550ab
SHA1 hash:
44aa16eec7d0ad8b6dd7e6a285f64ebf0efc5551
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/27f8733e-5f45-4954-925e-fea91a9d1b35/
SH256 hash:
4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
MD5 hash:
9d0c6c13702c13da1455bef20a31eb3b
SHA1 hash:
82592302006148b2771b3673097b68c9c3440f69
Link:
https://www.unpac.me/results/27f8733e-5f45-4954-925e-fea91a9d1b35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/440118/

Comments