MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd
SHA3-384 hash: 0170cb08772a7aa576f5c3802f3b8ec4c954bb6ff5848b9061c2b22b6be1239832276f492c5c34073a89a43e6c56aa06
SHA1 hash: 4e0e55f8b9afc959aaacc217327722d3a9db2f97
MD5 hash: 221b4dce039b2a7feaa20a87cffc4dc0
humanhash: ack-sixteen-nuts-ohio
File name:221b4dce039b2a7feaa20a87cffc4dc0
Download: download sample
Signature AgentTesla
Create hunting rule
File size:627'200 bytes
First seen:2023-07-18 14:14:37 UTC
Last seen:2023-07-18 14:34:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:dmAY2kcdbL4EfTvq84aF7+T1Hp8eetrLuPIs0C:oN6GEfTifW+ZHp8ewrLu2
Threatray 395 similar samples on MalwareBazaar
TLSH T186D412005DAA5B23E0172FBA444225F2867B47E67915CEB35C4EF476FB26B0EC861B43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
221b4dce039b2a7feaa20a87cffc4dc0
Verdict:
Malicious activity
Analysis date:
2023-07-18 14:16:04 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/3d87c79d-a42f-4096-8329-fa8d0f13b247

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423741/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19781.25586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64b69e698be3f49cc38d965b/reports/bd677c15-d5d9-4f85-9f7d-cd252f18f2d1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/348022e7-0f55-448e-90f8-49fd169b62f2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275181
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275181 Sample: 23qzm5A7rc.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 7 23qzm5A7rc.exe 7 2->7         started        11 wajtLXibNYmkvJ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\wajtLXibNYmkvJ.exe, PE32 7->35 dropped 37 C:\...\wajtLXibNYmkvJ.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpB474.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\...\23qzm5A7rc.exe.log, ASCII 7->41 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 23qzm5A7rc.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 19 7->19         started        21 schtasks.exe 1 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 23 wajtLXibNYmkvJ.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 api4.ipify.org 173.231.16.76, 443, 49699 WEBNXUS United States 13->43 45 api.ipify.org 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        47 104.237.62.211, 443, 49700 WEBNXUS United States 23->47 49 api.ipify.org 23->49 71 Tries to steal Mail credentials (via file / registry access) 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 13:32:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jy6vppwe6bqm4bbgqxbovnudopjjp3zva2rkkptf57v67jpqqt6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
079ee1d5bfc9f7b51c26f721c3e43160f01208bfdcd67290b44dd0f53cac5ca0
AgentTesla
2c4d72ac436fbd83a5e3138bd493bee423663f054dfbbc55c5cc50e13f5723f2
AgentTesla
339b656f202364608d6b3aab91f86de7cc68ae0b599da1380cd7ff9b31fe7c43
AgentTesla
571cc0498824bbf035b1291c9dc08726c93a943411a21659916d2ed27e6fa3f0
AgentTesla
810321f2b71adcaa676f764693491d2080735c29e509b2a546e32212a2c83ee1
AgentTesla
8a8dbdd76d8797ceb381340c441af6d1e2d4c6f55cb0583c2677d1371be74a33
AgentTesla
a07e48874a69880208333c95cc881484421695b907c107e9e75593c75ec59eb8
AgentTesla
e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f
AgentTesla
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90
AgentTesla
f11985ed8f09689544e4eee025a8526c59de67423874d4fb8a33b73da723edb9
AgentTesla
+ 385 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230718-rkkmfabb29/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5869504375:AAFm1Z7IkZTyjASpoFpmokA0jISwF8dTPE0/
Unpacked files
SH256 hash:
45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c
MD5 hash:
ca775551666be768a9241f43eec98b87
SHA1 hash:
fbbd937067a24c48ee5274d3fa2881a991e64f3c
Link:
https://www.unpac.me/results/97daebf3-424b-45bc-b976-d167ce69e3e1/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/97daebf3-424b-45bc-b976-d167ce69e3e1/
SH256 hash:
7886f9ebf019b0bdfd019ffb1f90b0d3aa2026c9f74a1fccf51a80047a525b25
MD5 hash:
f75dba9e50ed90d01aa4a7d934e71e3c
SHA1 hash:
9dbe14156584a221c4fd8d0d8f9631de609730a2
Link:
https://www.unpac.me/results/97daebf3-424b-45bc-b976-d167ce69e3e1/
SH256 hash:
c3ebd3b061d7d801b8f157c5f40f4c6d0604b02e7060d108352ee7b676e0ad2d
MD5 hash:
1ac9ff9b7fb406c1bfe2140a615c39ca
SHA1 hash:
00b948ee4880cb925b0358503cf98b6da92d0f99
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/97daebf3-424b-45bc-b976-d167ce69e3e1/
SH256 hash:
4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd
MD5 hash:
221b4dce039b2a7feaa20a87cffc4dc0
SHA1 hash:
4e0e55f8b9afc959aaacc217327722d3a9db2f97
Link:
https://www.unpac.me/results/97daebf3-424b-45bc-b976-d167ce69e3e1/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e3d57bec4f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/423741/
  
URLhaus
https://urlhaus.abuse.ch/url/2685165/

Comments


Avatar
zbet commented on 2023-07-18 14:14:38 UTC

url : hxxp://192.3.109.162/91/summ.exe