MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fba7e249712965407354d147dc082ea3b69c76ef50d232becb6f626184bd8c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fba7e249712965407354d147dc082ea3b69c76ef50d232becb6f626184bd8c4
SHA3-384 hash: 8b66ddc815d1cb632b80cc57b3cc95a3378699827a75703ea521c90a9609243fad6d52b696c9fdeb88028a3c88062e46
SHA1 hash: 9e6ec70cbbaf2b6fd628b56619ecc75926e97f64
MD5 hash: 0fd01f40a99a489f9a8fcd0ac6c343ae
humanhash: uranus-sad-asparagus-sierra
File name:HSBC Payment Advice_Docx.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:815'104 bytes
First seen:2021-09-13 20:30:26 UTC
Last seen:2021-10-05 06:39:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:B/gecNU2zqX6lUB2AkejZXR3AhY50WfNS/pR4zWZa:2DNgWUB2AkejMhIvFS/pRJZa
Threatray 9'786 similar samples on MalwareBazaar
TLSH T1B4059C0077F88729EAEE2770E0304A9506F6FC46A57ED78D5905B9AE1EB7B418D007B3
dhash icon cf8f090c0c0987cf (6 x AgentTesla, 1 x AveMariaRAT, 1 x RemcosRAT)
Reporter abuse_ch
Tags:AgentTesla exe HSBC scr

Intelligence

File Origin
# of uploads :
4
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC Payment Advice_Docx.scr
Verdict:
Malicious activity
Analysis date:
2021-09-13 20:31:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/714f05ae-f247-48b5-8261-406af03e9c3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187568/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Kryptik.f9f6f694.21279.7934.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
monero obfuscated packed
Link:
https://www.filescan.io/uploads/6175056bdb358dd15ed91da0/reports/f4f1dbe4-ee40-48fc-aa5e-f8c864cab052/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5345551b-2a82-4ba9-84c0-b2dcd717fe79
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/850154
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4fba7e249712965407354d147dc082ea3b69c76ef50d232becb6f626184bd8c4/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 18:00:05 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j65h4jexcklfibzvjukh3qec5i5wtr3o6ugsgk7mw33cmgcl3dca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1109e9c4a8dceb63160c59807b81adc6d4e82c28529c80bd1ff80993dc906508
AgentTesla
1242e07f0cdfe9f71f9e871c5cac57f24b2c4db3ff1fc36c2181d23b7f6c368f
AgentTesla
5498faba41c06057c3ddf0e715285f45083a4e517536f632b6da4bff6914773a
AgentTesla
67ad84f77b30877967798dd774acebc388e5ebb8f1944fa34c0801b94bc6d38c
AgentTesla
708a18ef69b6f283525326c42cfb42749e5eb5ba530911c958d44bed23dbbebc
AgentTesla
82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd
AgentTesla
8b345f73d84e6fc765d7907aaa33d844ef2c180024baeaa53ff895bab8e19356
AgentTesla
a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 9'776 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210913-zap36sedb5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a3fac67dbf681cf505937bcaf5b92d80dd0d050261adece7751335344ca4c94f
MD5 hash:
8f023bbf381e2949558464a8e27ff20e
SHA1 hash:
dbe39551fb996740c3b2eea3655a8be1f1b145cf
Link:
https://www.unpac.me/results/89792f83-acb3-421b-a681-dc9cfd15a79e/
SH256 hash:
387ae6bc8287f753de69e6b0ab44b7e8c9d62c7a94a264c79c3ba676e29d4245
MD5 hash:
8fdd09defb31fdd6ccbc4d4073f2845b
SHA1 hash:
19f0ccb5a781f7ce5ecf5e45b203d022a2b18412
Link:
https://www.unpac.me/results/89792f83-acb3-421b-a681-dc9cfd15a79e/
SH256 hash:
4fba7e249712965407354d147dc082ea3b69c76ef50d232becb6f626184bd8c4
MD5 hash:
0fd01f40a99a489f9a8fcd0ac6c343ae
SHA1 hash:
9e6ec70cbbaf2b6fd628b56619ecc75926e97f64
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/89792f83-acb3-421b-a681-dc9cfd15a79e/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Suspicious
Link:
https://www.vmray.com/analyses/4fba7e249712/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fba7e249712965407354d147dc082ea3b69c76ef50d232becb6f626184bd8c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_karkoff_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4fba7e249712965407354d147dc082ea3b69c76ef50d232becb6f626184bd8c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/187568/

Comments