MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a
SHA3-384 hash:	b0558afca5de0fcc0ab56eb4e6fca692ce94fa9206d88a0691ee9ba77b121a17d54b26ba44ff745727fb73f18f096218
SHA1 hash:	5333f2569ebc2c923ecc6d9cf8c012b6d70830a0
MD5 hash:	d2e45174bc212793f36c5107b52e026d
humanhash:	avocado-blue-carbon-robert
File name:	SecuriteInfo.com.Trojan.DownLoader46.2601.255.10572
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	718'848 bytes
First seen:	2023-09-12 01:36:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:KODphClGCxfAisF4JWM2XSUBIgnQG+isCyKCUt35dxC:KPEugnB+/Ul5dxC
Threatray	5'590 similar samples on MalwareBazaar
TLSH	T172E47D0123F59B10E57EABF1DA70812287B92956656EF31D9CC168CA1EB1F139BC3B07
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.DownLoader46.2601.255.10572

Verdict:

Malicious activity

Analysis date:

2023-09-12 01:36:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a689d64d-48d3-4880-b053-c6c6fcbd8c88

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/448032/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader46.2601.255.10572.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Sending a custom TCP request

DNS request

Creating a window

Setting a keyboard event handler

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64ffc0bf69c1cf3b6ab3a7cd/reports/d6924bd5-4a2d-42fe-ab51-f1b6f1377d61/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc125c57-f33a-4d20-92ec-431af24db1f4

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1307611

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-09-12 00:28:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j64g3ydrcorlknci2vrb3lsnfwtqupbw37zarhnfbijsn3wztwfa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2ea95697b79458479ff70e389a34ed1c57adaa2563afec01696c8315e98ce48f

AgentTesla

398d98ad4ba8f204fa73ab18cb76586cb3a4ae6f9f2eb038791929f6c1848964

AgentTesla

4707406289ad536e4093ed4dbe358209a9b0ce37d32e91e36b1d25f874f23d94

AgentTesla

92252e96c7db737e221fbe7b947a2755b504006c4542aee48e77b418e1dc1056

AgentTesla

967883efde0f9df6caa8f1cda685f7839344b755148e6c41d7c515132268bfa9

AgentTesla

b51c0c907444b390504c65e4d688a265f1698e2bcfc8a214ead20ef62f5d685a

AgentTesla

b964fd0b9facd76d7dd84b3491df66d51c5e95fd4385f47afd9764a72ebb939e

AgentTesla

+ 5'580 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230912-b1tbhsce21/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

aa23263f6c350872ea4fbb12edd5aed459e5c1ec120dd6bcfd7fad274b7e9646

MD5 hash:

e077a0e47b71a7d8d8c62847c5b69ef7

SHA1 hash:

bf75855dbfe8d8ccfc6e0037a34c4ad2b5d4abe3

Detections:

AgentTesla

Link:

https://www.unpac.me/results/342231b4-297b-4764-bf25-8737313ccd15/

Parent samples :

4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a
d72e06066cce04251239d12e50e546c951aab9c1c0682d189714fddcf0a74cda
d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7
647720247627b1a36405720d307ce33dc9487050c78fe58fbb76d5931a48dc79

SH256 hash:

b39991e0cf1630a6fb51e58475485017cb871bca1a115835abf895df24f18dde

MD5 hash:

fa4f67bc731fc3c41fb6d2609a7ddd76

SHA1 hash:

a7b387ac011f0ac1a6ce602c9bc30d89d487f09d

Link:

https://www.unpac.me/results/342231b4-297b-4764-bf25-8737313ccd15/

SH256 hash:

19279e5eb3f17306be692580f46b096c81e1e112dbdb70bbc75749312533498a

MD5 hash:

84531b7ca37937859a72fc4846268cd3

SHA1 hash:

9a2b3697ad7ad142ee89e5822a43be9df2d03540

Link:

https://www.unpac.me/results/342231b4-297b-4764-bf25-8737313ccd15/

SH256 hash:

4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a

MD5 hash:

d2e45174bc212793f36c5107b52e026d

SHA1 hash:

5333f2569ebc2c923ecc6d9cf8c012b6d70830a0

Link:

https://www.unpac.me/results/342231b4-297b-4764-bf25-8737313ccd15/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4fb86de07113/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/448032/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample