MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698
SHA3-384 hash: a0ba6db7bb939c47de3fe0bd62dfe7e5c15f8bb7f6403c9200d6ca8c8626dd67db995ab8508df1103882e1af224af217
SHA1 hash: dedce1680f802b0ddc708ab74eba5cd5f87e658f
MD5 hash: 25b24cc692dbff9a944e08722cf67574
humanhash: twelve-romeo-pizza-monkey
File name:Fatura_SUN202200000166.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:471'486 bytes
First seen:2023-01-02 09:55:27 UTC
Last seen:2023-01-02 10:12:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:iY5/tFGdaxnb/4zjXvj5uIG3GpAu8EY9I:iY5/rW6nb/4f/Fm2pVA9I
Threatray 17'332 similar samples on MalwareBazaar
TLSH T1BAA404167ECEFD15DCE685BE0D958FBACD1E74EE142002FA31C8B62964317609FC864A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4d4d4cce4e8e0 (27 x AgentTesla, 19 x Formbook, 17 x DBatLoader)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Fatura_SUN202200000166.exe
Verdict:
Malicious activity
Analysis date:
2023-01-02 09:57:04 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/1921c286-f465-4fa5-b191-0a67effef04b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.6.27876.7280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
flystudio overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63b2aa33b9b1c17375202beb/reports/f828b221-c5a1-49bb-9c90-7b9ae9b16832/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0b27910-c9ef-4b93-a128-26ff9b967b2e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1144097
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 776827 Sample: Fatura_SUN202200000166.exe Startdate: 02/01/2023 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 7 Fatura_SUN202200000166.exe 19 2->7         started        10 hwtjp.exe 2->10         started        13 hwtjp.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\...\nsqEF11.tmp, COM 7->28 dropped 30 C:\Users\user\AppData\...\azwiudrxkn.exe, PE32 7->30 dropped 15 azwiudrxkn.exe 1 2 7->15         started        62 Contains functionality to detect sleep reduction / modifications 10->62 19 WerFault.exe 3 10 10->19         started        22 WerFault.exe 10 13->22         started        signatures5 process6 dnsIp7 32 C:\Users\user\AppData\Roaming\...\hwtjp.exe, PE32 15->32 dropped 38 Multi AV Scanner detection for dropped file 15->38 40 Detected unpacking (creates a PE file in dynamic memory) 15->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->42 44 4 other signatures 15->44 24 azwiudrxkn.exe 17 4 15->24         started        34 192.168.2.1 unknown unknown 19->34 file8 signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49704 TELEGRAMRU United Kingdom 24->36 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Creates multiple autostart registry keys 24->58 60 2 other signatures 24->60 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-01-02 09:56:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jx6lu4vwjlril7xfxjbxmtmb4tcdntun62dtaqc4df5vvru5g2ma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26cd2bcced6805a4bcfb2f0f36ee11314431ae022d0a38ec91f0108a6625dd07
AgentTesla
2b9b066e3049207623a9b58439eedeb0c226895e8a37431fb65ab15fc168636e
AgentTesla
2f356283c209400c6385a24450f266b59477e035e9389c8d1af4843cd1ad2374
AgentTesla
2fa992dea738a84ae8b297214ae3da1bc03591b05f4b2c0f3883270ece33a352
AgentTesla
6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b
AgentTesla
6bf40a84dcada0287d1491ead582f48d2a7d89528cbfe635bceb85a8925dcc12
AgentTesla
7c042716cacb46c8c1a105fd13ceb1093f20d28c869623c4d2236805876a9f1d
AgentTesla
9b19f138d170fb4ac954ca804d5877bdfd4f6d3342fde823a9fe7a6a69c078a5
AgentTesla
b1ce114d1b69edbc2fedd700e2ab5400c5f1fc62ca899235cfa0666a986641d1
AgentTesla
d3c2f6c0cf022d926366f343c1048acf8fee9575f42d700cce3f0ffc9605d33d
AgentTesla
+ 17'322 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230102-lycabsdh26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5932499274:AAFVgY_mSAbCu0fXfBWMuUmyk56JtTf6--Q/
Unpacked files
SH256 hash:
1c35bc3f72ca65e1d2df7cbadb7e1f9e5fe5fbffb110397a03da12c5b67a367f
MD5 hash:
5718ddbd46d8a95196d9fd70c2af0d94
SHA1 hash:
a62f4f5558bf73348f5364d5de29c2273f67f509
Link:
https://www.unpac.me/results/08b4a79e-1ac8-421e-91d4-c83498b6945a/
SH256 hash:
885b9d63d8849c7fac19b47a827acf8ce4919a0bfaaace5a0868959cbfebab63
MD5 hash:
36daae84fbaca3639697d81546a53488
SHA1 hash:
8e49a14cf1dff140d4536b3356e5a0b3e61b6fed
Link:
https://www.unpac.me/results/08b4a79e-1ac8-421e-91d4-c83498b6945a/
SH256 hash:
74c63cc8b30d7fab467f2ed820605e5d357ef1ee7c978eb2ee32bab91b650229
MD5 hash:
96970abeeedc0341ba36c8c3654d5a9b
SHA1 hash:
63f72352e5caade0b33822e8a1c4fbfce34223c3
Link:
https://www.unpac.me/results/08b4a79e-1ac8-421e-91d4-c83498b6945a/
SH256 hash:
4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698
MD5 hash:
25b24cc692dbff9a944e08722cf67574
SHA1 hash:
dedce1680f802b0ddc708ab74eba5cd5f87e658f
Link:
https://www.unpac.me/results/08b4a79e-1ac8-421e-91d4-c83498b6945a/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4dfcba72b64a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments