MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fa5fc906da5080dbb40f75ff0aa9301080531e3dccaede9e9169121b5d0822d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fa5fc906da5080dbb40f75ff0aa9301080531e3dccaede9e9169121b5d0822d
SHA3-384 hash: 91bba99a9fcb4e2542257993627398805fb29bd057d8467313a2c870eeba84968aeed4e2abedc97df48a09f1365c85f0
SHA1 hash: 269aab5505f8a69e8b3fe905a7dfed8790452f85
MD5 hash: 7e435ad1bfb2912eec8710b29092ab6f
humanhash: football-nine-sodium-maryland
File name:AWB.NO-786334453366.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'026'048 bytes
First seen:2021-05-28 05:29:09 UTC
Last seen:2021-05-28 05:29:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:06mo0NOZ5XLcneZjTNIvNRFe083sgAohHdc4:0LKhZ/NIVksgAohHd
Threatray 5'359 similar samples on MalwareBazaar
TLSH 0925294D2654D712D239D774CAEA44B343E0EC23E201EB8A9CCA3B9536727C7368656F
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB.NO-786334453366.exe
Verdict:
Malicious activity
Analysis date:
2021-05-28 05:31:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/afb93711-2bbf-4a5b-85a3-52176b4c1a5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162881/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793639
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426035 Sample: AWB.NO-786334453366.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 7 other signatures 2->35 7 AWB.NO-786334453366.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...\ouTxHrDGtmA.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp406D.tmp, XML 7->23 dropped 25 C:\Users\user\...\AWB.NO-786334453366.exe.log, ASCII 7->25 dropped 37 Uses schtasks.exe or at.exe to add and modify task schedules 7->37 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 11 RegSvcs.exe 6 7->11         started        15 RegSvcs.exe 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 27 us2.smtp.mailhostbox.com 208.91.199.225, 49741, 49743, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->55 19 conhost.exe 17->19         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4fa5fc906da5080dbb40f75ff0aa9301080531e3dccaede9e9169121b5d0822d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 13:54:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6s7zednuuea3o2a65p7bkutaeeakmpd3tfo32pjc2isdnoqqiwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1449ab878502264784833760558568c389ed7e39498b45048d6bf2e6611c50b3
AgentTesla
4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55
AgentTesla
5a9e1ff007254cb77b90545f61dd8ea00eddc37b080950563b95d1bfbe70bb26
AgentTesla
80f4f76ea0e48a8de2d534286cf244562c938e595b10f2f92329bf57f379cc5f
AgentTesla
88f94c1e8a555d84bf7ad2e0fe21d82d33f1976786267af93808cc050d039bd9
AgentTesla
9dfdb84198d7f2fdb9d84755ade6eb891880447a68d64ebda45777d9be463f8c
AgentTesla
aefa2f5a8448c792183fedf9d025becfb782102b749c0fe3be273975f2dc3b61
AgentTesla
b4eddee0ed85389b25b45ad11c5ba9e581e667e6fc5aa32abae9d4c6b915845e
AgentTesla
c4cfc6eb77f1095f81578053857d14d9597a3c13aa35654fc2742989862ce6e8
AgentTesla
fb8bc20c5ad0dbeedd5c90d8fa5e9bd7e0ff71fe75c7ebd51559b0599699281e
AgentTesla
+ 5'349 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210528-4xamvqt5xx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fa5fc906da5080dbb40f75ff0aa9301080531e3dccaede9e9169121b5d0822d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 5021c6d687803c5eda452c546f930520ada710f87b3e5a4dee4788ff25899924

AgentTesla

Executable exe 4fa5fc906da5080dbb40f75ff0aa9301080531e3dccaede9e9169121b5d0822d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5021c6d687803c5eda452c546f930520ada710f87b3e5a4dee4788ff25899924
  
Dropped by
SHA256 fb8e126810598e66a8bfd07d710f55b22396d780e0f6fe1a7e0a1725fd65369d
Cape
Cape
https://www.capesandbox.com/analysis/162881/

Comments