MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dea8c99304bc74c3f83063370c4662594e5a7e735ca304e2399e13068f9060a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dea8c99304bc74c3f83063370c4662594e5a7e735ca304e2399e13068f9060a
SHA3-384 hash: 3f6ac9869d1d20bc4f295f016b0ef63fe3a3a55441e82488f43b1dfb5532c721fc31ad582a2a2e54c96567ad157567db
SHA1 hash: 1656419a731f85bca2a9fda015da2e30e113250f
MD5 hash: ea448d520394a9f6d0f9840a7f0cf9f1
humanhash: fanta-low-pizza-winner
File name:ea448d520394a9f6d0f9840a7f0cf9f1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:306'176 bytes
First seen:2021-02-10 17:07:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:1foXvXAa5EQJJfMK5Ic+Zxs7ZjVbEdQoebn40dZlZ:yfwkDoKV+jIfDdhPlZ
Threatray 2'559 similar samples on MalwareBazaar
TLSH D354123CE374AE24EBFA85BDA4155D9D20777970BC868680C8C963ABCBB65341732D60
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ea448d520394a9f6d0f9840a7f0cf9f1.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 17:11:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/954dd1ea-ecac-4d65-ab32-0930abe8ccb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116611/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.7110.22151.21799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604913
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dea8c99304bc74c3f83063370c4662594e5a7e735ca304e2399e13068f9060a/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 17:08:11 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxvizgjqjpduyp4dayzxbrdgewkolj7hgxfdatrdthqta2hzayfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f9c43e16d8b5a44dbdfe53a6f9bf132691c798ba435b697b98a793eb76d5930
AgentTesla
1dc2a4dd6e7e1525ff0e92f87bf12b95f62eb5750bdec7a41d40e49a3b2f9d81
AgentTesla
8392af9cff73aab10a60befd359d4ca2638d6a936071285579147303bb453497
AgentTesla
9829d39cbbfccc4142a5374e10f03470f60ea6e1f8a927b2516c8166f9b97f69
AgentTesla
98e764b75d7ebde740b0e29e500f624318f7d4b43d24fdbe698fbe41fbb999e3
AgentTesla
a0f7635bbcb14187feb63b10c5c5d25de66efbae8a592a62d782684cfc3fd94b
AgentTesla
ab23beb259fe20a76af05b4b498dec847db8d765c71abcbe5bd60c76d5d72cda
AgentTesla
cb0843ac3ea4a308ae15bfc9b8cffa8c99e417af1abf1527b89046ca8633918a
AgentTesla
db35265ea444acdac6a64bff7aa827ec5e86544507988b0fd0cce53232e92686
AgentTesla
dc8b8addeb256bdfb0eb82d09b54b57400deed315a727e331fe66ca59c965373
AgentTesla
+ 2'549 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210210-amk2sn4l3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/16f071a2-fe34-47a0-92fa-19754fb74f7c/
SH256 hash:
9ffa7d87e208c5f5e2c82ddb43326a55b0273513f895beb28b2b4ba588caae94
MD5 hash:
8cf35f22cb7fa9c2be9e458fe1013403
SHA1 hash:
dcbff7f4775bc7c93ba30d65619b18709157c95b
Link:
https://www.unpac.me/results/16f071a2-fe34-47a0-92fa-19754fb74f7c/
SH256 hash:
b36190f4c0cc1634700a61882348165cce325e92d66c9e5a99760b610180011c
MD5 hash:
f00c3aa05ab474dd42c5889f265786ad
SHA1 hash:
4539e32b07bc2742024d6a6cf34ea4b07870c9ea
Link:
https://www.unpac.me/results/16f071a2-fe34-47a0-92fa-19754fb74f7c/
SH256 hash:
4dea8c99304bc74c3f83063370c4662594e5a7e735ca304e2399e13068f9060a
MD5 hash:
ea448d520394a9f6d0f9840a7f0cf9f1
SHA1 hash:
1656419a731f85bca2a9fda015da2e30e113250f
Link:
https://www.unpac.me/results/16f071a2-fe34-47a0-92fa-19754fb74f7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dea8c99304bc74c3f83063370c4662594e5a7e735ca304e2399e13068f9060a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4dea8c99304bc74c3f83063370c4662594e5a7e735ca304e2399e13068f9060a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/999286/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116611/

Comments