MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ec733b5e9c8f07798d95949e4299e9738e1a7930f56dafb31d197fdc25e1ab3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ec733b5e9c8f07798d95949e4299e9738e1a7930f56dafb31d197fdc25e1ab3
SHA3-384 hash: 3e71ad40ac33be6133c9515a87ae6e0ee84ea45a8695bda43fc5b159ecaa3517ff03a37a6dc03c63cde149bbe825ae43
SHA1 hash: 9ef66f926f9aadf9735977a55d6dd9a3cba6b932
MD5 hash: e1c955b695f54ec92b5662635daf199c
humanhash: oven-muppet-muppet-salami
File name:Pay-1334563-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:740'864 bytes
First seen:2021-05-05 06:05:05 UTC
Last seen:2021-05-05 06:10:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:VyDMsMxweeXhlJTW3wgzdCKgIVkyC59Zap/rIoxks+ukz5xYMVSjFA72X1AeUELh:IQwnRTIwaMK/VkDTap0oAn8Fs2X1UqbD
Threatray 4'861 similar samples on MalwareBazaar
TLSH C1F423B722A0A810C6ED6677D5FC53E2A33FA4059E96C86C2FF40A5C68E77539320357
Reporter lowmal3
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/149910/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711487
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404674 Sample: Pay-1334563-pdf.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 25 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->25 27 Found malware configuration 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 4 other signatures 2->31 7 Pay-1334563-pdf.exe 4 2->7         started        process3 file4 19 C:\Users\user\...\Pay-1334563-pdf.exe.log, ASCII 7->19 dropped 33 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->37 39 Adds a directory exclusion to Windows Defender 7->39 11 Pay-1334563-pdf.exe 2 7->11         started        15 powershell.exe 25 7->15         started        signatures5 process6 dnsIp7 21 smtp.marnner.com 11->21 23 us2.smtp.mailhostbox.com 208.91.198.143, 49724, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->23 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Tries to steal Mail credentials (via file access) 11->43 45 Tries to harvest and steal ftp login credentials 11->45 47 2 other signatures 11->47 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ec733b5e9c8f07798d95949e4299e9738e1a7930f56dafb31d197fdc25e1ab3/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-05 06:05:12 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3dthnpjzdyhpggzlfe6ikm6s44odj4tb5lnv6zr2gl73qs6dkzq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0033a3b0a6921f76cff65b9cdcd5b6aaaa72386e2bdb660d21c4577ab0488ab7
AgentTesla
1228ba2604d0a579845a1dfdc24e4923c184e1295d2af972063d76d64b33ef99
AgentTesla
1a6a3ac02a5a13f30791093a6a47dc9aef9f4de415446a81f711975e85884044
AgentTesla
3ecf636a0d0d09987d861f3b470250742e1a37775d550e29cca275b4959bd9af
AgentTesla
490d077b95439b181a68d695fe8496653bf3dd42d6e4baef1e7132b550e278d4
AgentTesla
50534ba28f7816d167a68906737cb6fc77a40d48395dd3662fac75d8b9fd0228
AgentTesla
51f75531bd47bc9d1879bd84acb96441e7816e81bdb2c8c162817178e7c6e8cd
AgentTesla
6163bc4bf97b30e1467e29a4cdcee3ae5d0eab2780ad56fd8f8d464ad05510dd
AgentTesla
7db8ef2327e7ee2b63c945e0ecbc5e7071faf840781b66acff4766c6f09c8287
AgentTesla
8ca53e2b7188a9e623cfaafc4bb2bac6d0747c3349d162473b7b00ea80e9162b
AgentTesla
+ 4'851 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210505-16mtk9wmbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/483fd83c-3279-462f-aa0a-a77dff347328/
SH256 hash:
4ec733b5e9c8f07798d95949e4299e9738e1a7930f56dafb31d197fdc25e1ab3
MD5 hash:
e1c955b695f54ec92b5662635daf199c
SHA1 hash:
9ef66f926f9aadf9735977a55d6dd9a3cba6b932
Link:
https://www.unpac.me/results/483fd83c-3279-462f-aa0a-a77dff347328/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ec733b5e9c8f07798d95949e4299e9738e1a7930f56dafb31d197fdc25e1ab3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4ec733b5e9c8f07798d95949e4299e9738e1a7930f56dafb31d197fdc25e1ab3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/149910/

Comments