MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34
SHA3-384 hash: ad27634c456c924391d3c68175478cb00a64d531c50c694e09b3729ae789ef2651460ef3039c24487631fed02fa00ffd
SHA1 hash: f6d913f573415c63922aaea43910a6d0f55c75c9
MD5 hash: 03a7b7c06850ee24dc541983be5f677a
humanhash: red-jersey-december-october
File name:updated soa.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:764'416 bytes
First seen:2022-01-06 06:51:43 UTC
Last seen:2022-01-06 09:21:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6eAGQ0SW0Bww1/FR9Qm98fpUFS72tXBcttttxtttOIeewsfpppppppppUppppppI:G50SKw1/FRm2GpUFSqbLIusQUH
Threatray 13'648 similar samples on MalwareBazaar
TLSH T167F4F13AE9259F6BC526D1762423C0B25AF13EA17220E5673FC43DBB38B6D214367523
File icon (PE):PE icon
dhash icon dec2cccc8c8c88fc (8 x AgentTesla)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
updated soa.exe
Verdict:
Malicious activity
Analysis date:
2022-01-06 06:55:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a486426-6bbd-463f-aa6e-cdbf9043f81a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217497/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.3488.5684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61d6919802e388f9fdaf60e6/reports/013a8c1c-eca2-410f-a122-5fda9e5e6303/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17c071db-4df7-44b2-8654-ce0ec1a2773a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916160
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548638 Sample: updated soa.exe Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 10 other signatures 2->50 7 updated soa.exe 6 2->7         started        11 tKZVPq.exe 1 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\KcSOZJHG.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmp9E96.tmp, XML 7->32 dropped 34 C:\Users\user\AppData\...\updated soa.exe.log, ASCII 7->34 dropped 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Injects a PE file into a foreign processes 7->56 13 RegSvcs.exe 2 4 7->13         started        18 RegSvcs.exe 7->18         started        20 schtasks.exe 1 7->20         started        22 tKZVPq.exe 2 7->22         started        24 conhost.exe 11->24         started        signatures5 process6 dnsIp7 40 mail.jindalpackaging.in 13->40 42 mail.jindalpackaging.in.cust.a.hostedemail.com 216.40.42.5, 49814, 587 TUCOWS-2CA Canada 13->42 36 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 13->36 dropped 38 C:\Windows\System32\drivers\etc\hosts, ASCII 13->38 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->58 60 Tries to steal Mail credentials (via file / registry access) 13->60 62 Tries to harvest and steal ftp login credentials 13->62 68 3 other signatures 13->68 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->66 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 05:37:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyjrbxf6mgkwgvhvrn5ekjkoc6lu2qywshsowinox2h47evy542a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b0497a471a34be0ac2c4719719527d6a73b4a0ad0d7b8f43d9c9af5119ce9cd
AgentTesla
12bfe1ec8585783c0d21beafa4b9c319cffdf039a9bbf3a9582f9a3d441df03c
AgentTesla
1ceadc04d4c307c8a55165558fbc09995b699ee4180f0e9ca1a69e502561e075
AgentTesla
606c0fba8a5d431c5e2f2def1d52fa9dd68d0fb9ae415c25ef7b3b8895317add
AgentTesla
8a327800ffb60ec64017091fe873d8416fc8aa6c0a33c866b36394465e6ae25e
AgentTesla
8cad477be21ea2016f1d334a68127e195aa48ef0717e45cac715e7a5f67d30c9
AgentTesla
d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16
AgentTesla
d8fa10d686fb89d62493a8d1b0f59caefc2da5fdb327b6a65c1ddd65f4c10944
AgentTesla
+ 13'638 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220106-hm4nnabaf4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
7811a23d3696cf6ce391db8138148d1ccf05629b0e40fcdc68f33b383947e771
MD5 hash:
ff71a969d0ea5f85389b0dac60d4fb9d
SHA1 hash:
93ab1b43fc86ed3235d8df6144aea877c682ced7
Link:
https://www.unpac.me/results/41782f7f-008e-4185-acdf-0bf614b197dd/
SH256 hash:
a1673b7001184d45f1669b79c23d0af109ce788c6d002469e68b89de53e90550
MD5 hash:
f7147c12319f6f5db9181e5e7df6409c
SHA1 hash:
8b0dc0f664293104d17d65e52d984cb4b4c39482
Link:
https://www.unpac.me/results/41782f7f-008e-4185-acdf-0bf614b197dd/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/41782f7f-008e-4185-acdf-0bf614b197dd/
SH256 hash:
4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34
MD5 hash:
03a7b7c06850ee24dc541983be5f677a
SHA1 hash:
f6d913f573415c63922aaea43910a6d0f55c75c9
Link:
https://www.unpac.me/results/41782f7f-008e-4185-acdf-0bf614b197dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217497/

Comments