MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2
SHA3-384 hash: d4cfb182583849f9f53b80693f84313df3a8304da750e0a2f8c01c6d8cb30ce40277d5a751ced6ed635926ad3da3d772
SHA1 hash: dc721e6ca52b4dbf1c92a7ff5cabbf4831039fb9
MD5 hash: 4ce46bf0d5fdcc21c2699bf174bc5f9d
humanhash: spaghetti-lactose-carbon-jersey
File name:RFL_058_13_72_06.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:384'000 bytes
First seen:2021-06-03 15:01:59 UTC
Last seen:2021-06-03 15:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:37PCv1T0HiLGSUKAdj5vf6q8V3Zbqh4POdEEe2:jCvB0HiJUKj3Zbq/v
Threatray 18 similar samples on MalwareBazaar
TLSH 6484DF62070EC9DCF25A4638482C9B6309563E660DD65DCD8B9DBEF03CB19DE528E07E
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFL_058_13_72_06.exe
Verdict:
Malicious activity
Analysis date:
2021-06-03 15:06:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df0b09c9-5de9-4e98-9462-345c31571b3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164435/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796777
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 10:01:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7zpo4utw2ae36areq4zuqllgbgx454olrqvppy33ehw4ai7a3ja._file
Verdict:
unknown
Similar samples:
0768e83e8d36f21ea90867dcf3935ee48795daf2e4a0017979e752b865c95d9e
AgentTesla
13f9a3448c9f640ce71500fbcdfc51a2d3da47664a37ec9370c92671ceaefa5a
AgentTesla
2e14e2e4049c3ab737de85b2aec09298495717ecf076ca15c8ffb3eb9ce01833
AgentTesla
4ee7793ced917a0ae8b3928b869b23d9165376e03d818cfd9a0e5e9e82d37e45
AgentTesla
6733d0ce3ad0c63755f82e7c05a815f2420cccd7f7775dd9227732f59e7fafff
AgentTesla
68997aa367d5b00e31b462a41dafe45cbe04b9b85ae70b4ffe7db107163f2f3f
AgentTesla
971cbad0d6aa786edc401fd9525336bd3f2d1d6718b3290e93b85458d3e34401
AgentTesla
a2802bb969592412993d1c0d2c86f7054944166d5eaf8c1ec020f008e7eb2eb6
AgentTesla
ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c
AgentTesla
ebfa3b7367c9f13b4417f57c541a9c8c192a291cda5fd113de575d4ef53d8543
AgentTesla
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210603-9ptyl5gffj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
9990769326b8fd96cd4de673a6771f00d5b1a42931e688d089ca114d93e9e80a
MD5 hash:
0a686eb51429d9c2b8be6c23966e7696
SHA1 hash:
76fbd742b513724c5e2bdf420eba3a6701822d7e
Link:
https://www.unpac.me/results/1ed9e912-3764-45a4-a601-23dbcbee8b70/
SH256 hash:
ba120914b056dc7ef0240b12cf6e32bad2b915807cf645e503cc5f4f990cf0c5
MD5 hash:
e3276838a4a32fb5b1c742062fcc7313
SHA1 hash:
63660c1a3fe62063fad05bd9362f1f63f7f9636d
Link:
https://www.unpac.me/results/1ed9e912-3764-45a4-a601-23dbcbee8b70/
SH256 hash:
84c3793aa4779f379a4ac17479d89e6c282d3c47a0085cb75f6baf84551ae57f
MD5 hash:
496bab45d106e9b2a023925d2a2758a3
SHA1 hash:
20a7cb0e8f693dc2af838b9600cec3c5d9dcb754
Link:
https://www.unpac.me/results/1ed9e912-3764-45a4-a601-23dbcbee8b70/
SH256 hash:
4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2
MD5 hash:
4ce46bf0d5fdcc21c2699bf174bc5f9d
SHA1 hash:
dc721e6ca52b4dbf1c92a7ff5cabbf4831039fb9
Link:
https://www.unpac.me/results/1ed9e912-3764-45a4-a601-23dbcbee8b70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r01 1b1559e38c450f75c981a22052632f1773e78f5b3444660a68a0a7723cc06b48

AgentTesla

Executable exe 4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1b1559e38c450f75c981a22052632f1773e78f5b3444660a68a0a7723cc06b48
Cape
Cape
https://www.capesandbox.com/analysis/164435/

Comments