MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ed899211dee493b523561cf3c183033d3bab0bca8190b4040c26c0061abe319. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ed899211dee493b523561cf3c183033d3bab0bca8190b4040c26c0061abe319
SHA3-384 hash: b7024c4548e24b77dc0287efbb7be4d08487043a5729e74697dcc49aae7bc7d7e266aebfad955ba1b43b30db8ffb024f
SHA1 hash: d8603a8a9cddb8d0c1618a9b637f1c902d74bfb9
MD5 hash: 49dc7de98ac24a533a836e9347a5154f
humanhash: pip-video-november-thirteen
File name:Factura y datos bancarios.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:559'104 bytes
First seen:2021-10-29 17:53:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:SKRA+loBQJeor9Jz+GeXnfhlLsv0giEBlblRNXVcXodIy:SKS+OijrqXfhl
Threatray 12'414 similar samples on MalwareBazaar
TLSH T156C49D9D7654B5AFC85BCE76C9A51C60EA606467430BE303A45321ECAE0E7DACF142F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
sv402.hostbudget.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A087B4649C36AFFFC0E312212C16ADA58A0832B0
Verdict:
Malicious activity
Analysis date:
2021-10-29 18:02:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b6dea6e-6101-4f3e-9072-519a4099960d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/84626b87-e236-4a1b-9c82-fe36ea2b4420
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879485
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ed899211dee493b523561cf3c183033d3bab0bca8190b4040c26c0061abe319/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 17:54:07 UTC
AV detection:
13 of 44 (29.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3mjsii55zetwurvmhhtygbqgpj3vmf4vamqwqcayjwaaynl4mmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
25e011e57e7ef6ca2c972b6f32bfce6fc649e96d392c9dd430d7679085391b6f
AgentTesla
2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431
AgentTesla
3856dcf8e7f4098a54379da0b07bac3bc497a5e7c14914f880f241dd6ee65464
AgentTesla
3b1da48931ff3140f0b370a3215b15e5774b8cc2597e04b31cd6f241671ccbdc
AgentTesla
5aa7f54ea9b684e8f17b5e34d4ea0ee92352377144a902f349128068a572291b
AgentTesla
5cf8e944ea54195e221343dec2bb3728c5faecc2b55be781b597503a7ae2fd39
AgentTesla
bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9
AgentTesla
caaf972ff74329282c2466ded6539eedc5d5db9817ebb53d3e7deab201195ca2
AgentTesla
fb05655473b38a54808c4b7d2a6a922db1a9444171d0cd4743f487ade124f047
AgentTesla
+ 12'404 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211029-wgwbzsdgd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9426bfbe0981d30e5e95005389379077b17d1c1b35f3d5695a20c42d20f44d9d
MD5 hash:
43a3f2244b3ab3639558661a784f4cc5
SHA1 hash:
86f40ce347ca474b2b614849ec89bfc380028957
Link:
https://www.unpac.me/results/e2e6d529-80e0-4322-8328-ec691e05aa7a/
SH256 hash:
6b10b4a5a7ab8b5aaefbb8d076971a1d1b46798c7d45a9ff27d054e71e4f61cf
MD5 hash:
acaba576b7bec753b680bbac9fb5c738
SHA1 hash:
0f49bf19ec18c7dd1902d675c1fa68bdb30319c3
Link:
https://www.unpac.me/results/e2e6d529-80e0-4322-8328-ec691e05aa7a/
SH256 hash:
4d1ee061c817ea30ca4e461a4f44388662c1c1c2775be2b323858ddbc1679b35
MD5 hash:
1b6d3d31872537cc611ff4322ffc1099
SHA1 hash:
0108adafb207ce044bfb3f7933da45594c545bee
Link:
https://www.unpac.me/results/e2e6d529-80e0-4322-8328-ec691e05aa7a/
SH256 hash:
4ed899211dee493b523561cf3c183033d3bab0bca8190b4040c26c0061abe319
MD5 hash:
49dc7de98ac24a533a836e9347a5154f
SHA1 hash:
d8603a8a9cddb8d0c1618a9b637f1c902d74bfb9
Link:
https://www.unpac.me/results/e2e6d529-80e0-4322-8328-ec691e05aa7a/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4ed899211dee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ed899211dee493b523561cf3c183033d3bab0bca8190b4040c26c0061abe319

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4ed899211dee493b523561cf3c183033d3bab0bca8190b4040c26c0061abe319

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments