MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f34482c6ed40c4c88fa63645ded532cba42034875b5fef920f30d3570db52b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f34482c6ed40c4c88fa63645ded532cba42034875b5fef920f30d3570db52b0
SHA3-384 hash: 591f38045484b57a5fa2cc4e9a14dd73b628b581864564175d0ed86aadf1b3167b761db976188bad063d206d1400abf4
SHA1 hash: 51b5a42e8b54e28658b6c61df6d28b30c12c2844
MD5 hash: 20ad3952e269860eed9b711db2b57b6d
humanhash: uncle-robert-lactose-ohio
File name:20ad3952e269860eed9b711db2b57b6d.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'075'712 bytes
First seen:2022-10-03 17:09:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:hr7f32iNdK4HTNgqqdckXiBp5iGXW4jdW01SZqI/F8mDlteDTuOT:hr7f31SDd8IGXW4U+QDi
Threatray 20'301 similar samples on MalwareBazaar
TLSH T13535D01212BA4B0FD5566374DDD2C3B0AFE45D74E1B6C24B4FD9BCABB4772A5AE20002
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316197/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FQW.gen.Eldorado.32289.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633b1732d089a0c15dd4d4b8/reports/dcf9708c-3f18-4177-9b04-39c6e23738f8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b283afd-4ff1-4009-abfa-6ca3fb06a5ab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082678
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f34482c6ed40c4c88fa63645ded532cba42034875b5fef920f30d3570db52b0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 14:42:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j42eqldo2qgezch2mnsf33ktfs5eea2iow2756ja6mgtk4g3kkya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17589e726e9a629be05b4a39848c3a399549b646c38bbe9ac4c301a261dacc8f
AgentTesla
3f6123720c00142db2e4e991de07c950ffa9ed1974711fabab2fdf8ee91a0b6f
AgentTesla
440d7baaa7f6f905564990cdca6d95d66c7139d03832a1fea2449333dbce0571
AgentTesla
506504f6b96c1e8296cd8ed84b1c1a171fa01ed0f5b2b815c143c74c3b71e99b
AgentTesla
65f47b6044414100359d76cd579fe73fdea872525b9da1b4cc2e7b665d571d17
AgentTesla
be2376df70f906624766571ed4d763fcf2d9f869c4d3435d792179ecf8c246c1
AgentTesla
ee37c95d10c93066599d6de775cc3b91503feff1509d12257fa5c83e7875e0f1
AgentTesla
+ 20'291 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221003-vn6wmagbc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/da96734d-3b82-44a1-b767-b8a01a4c1b7a
Unpacked files
SH256 hash:
a04c799fa302c78d04acc3b4be8ccbde2f7fa00fe515daf18a2fc7e65fad3b13
MD5 hash:
d76812ec4cbc45e1e26ed36691596f7e
SHA1 hash:
c854fe9792694fb464a0bed51c737ff61ccef736
Link:
https://www.unpac.me/results/f49cee14-779f-4a45-8bc0-53a101d53172/
SH256 hash:
22469ccad91936b4d8e5b93c7cf354cb46edd41174b7ea8827e703162d2e4d90
MD5 hash:
af599dc4450d1016e4654f2313ec2bee
SHA1 hash:
63d60590b45eb0c673e1e052754fe396ad05d914
Link:
https://www.unpac.me/results/f49cee14-779f-4a45-8bc0-53a101d53172/
SH256 hash:
93909eb5b51120f94ad98474a0348b481fcd78de2781989f5d81cf133423a481
MD5 hash:
51700a5cb165592f6061effa71368507
SHA1 hash:
5e75aec2092d548f2c694dd208a2aea0b9a20b45
Link:
https://www.unpac.me/results/f49cee14-779f-4a45-8bc0-53a101d53172/
SH256 hash:
86f07833592ad13daee71ae16635127f10f02d8f86159b1bd606919ac34aefd6
MD5 hash:
a0f3ed1f2844097697f9feb4a35a9274
SHA1 hash:
573fcd2dd56b1be7736ad6a16d2bb656a94e85ca
Link:
https://www.unpac.me/results/f49cee14-779f-4a45-8bc0-53a101d53172/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/f49cee14-779f-4a45-8bc0-53a101d53172/
SH256 hash:
4f34482c6ed40c4c88fa63645ded532cba42034875b5fef920f30d3570db52b0
MD5 hash:
20ad3952e269860eed9b711db2b57b6d
SHA1 hash:
51b5a42e8b54e28658b6c61df6d28b30c12c2844
Link:
https://www.unpac.me/results/f49cee14-779f-4a45-8bc0-53a101d53172/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f34482c6ed4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f34482c6ed40c4c88fa63645ded532cba42034875b5fef920f30d3570db52b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4f34482c6ed40c4c88fa63645ded532cba42034875b5fef920f30d3570db52b0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/316197/
  
URLhaus
https://urlhaus.abuse.ch/url/2260834/
  
Delivery method
Distributed via web download

Comments