MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c
SHA3-384 hash: 52359ab71b2974dfb77b8dda87fc3b64012cfcd1b05f7437bc628cffb4cc816eb68f0a5aeda02b3282625e4133a66472
SHA1 hash: 31f1a04a2446f9fdd6f43cb3965b244f1311008f
MD5 hash: 542095e8ac63397ee8b327dcf278fa5b
humanhash: california-sodium-pennsylvania-sink
File name:AMISTO2947HYK.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:761'344 bytes
First seen:2023-10-24 11:08:51 UTC
Last seen:2023-10-24 11:52:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:oNAwmoQ3O1KidhxG9LievJucZiUIUKTZTJxFcRnR:Twc+HdhxMLZvJfp3KTpVq
Threatray 950 similar samples on MalwareBazaar
TLSH T19EF4010072BE6F2FD479A3F60960518603F6662EA131EB886ED271DF2961F505F81F27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
340
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455959/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6537a5d1e3768e7905c94d98/reports/60beadab-6cdf-45a6-8526-2090983851e8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55b4f245-012f-409f-932c-2640945d7ab7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331210
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c/
Threat name:
ByteCode-MSIL.Trojan.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2023-10-24 11:09:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=krpc2s6k7t7lvolgi6jcqszhqptfunk3odyjszmdftqwdr6wmwoa._file
Verdict:
malicious
Similar samples:
2b740ef55ed31627baea39dd67f586a025763ce973415b30d71d2990e4d7fa6e
AgentTesla
32812b32bcd108fe5d4322071ae981c09366c7e424e788db406d7f850b4d91fc
AgentTesla
36cdd1d2327dd59355dfb9e8f790ae0a992dc957d602af2c30d70e1caa6d56b4
AgentTesla
5944d934a0233b9c30cfa0b20afe86a09e6afa67030daad7d8c1f0534a9d629e
AgentTesla
6113b0d235274f9aec41137c989925628903742267d4d66215351e20f618bbcd
AgentTesla
7317ce7a3ef968e23d55fc137f133f26864a6efc47dc1f10896ab6c4cf67ada2
AgentTesla
73a362f5fb3b1512dd913f9f5fffe0e3968d10ee6e5c243bd76ecbc5cd20e45c
AgentTesla
dd4a6bb436e33a55b18f88a38f23ea82b1f4d80cb170eeb7e1de6797b9ce59dc
AgentTesla
ea8306568b5452ad5953e4d65e0aacfd16dd2c78e96853c682a1518f7247c3e5
AgentTesla
+ 940 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231024-m849jacd8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1166302871613087784/nCg-9BRiGEVs0MiVwMTqq2QpA1zjZAVmt6WwJeafNmLmk88WIG2BMzUo6OyGTXikDTY9
Unpacked files
SH256 hash:
83504e4957b6a912f212206d84c5a30c8878ff864359700e69f73586c19cc098
MD5 hash:
3503951190f52faa6b1e6860b82e0f3b
SHA1 hash:
eb5ebba6411b525114ee1fa1ede005bf6a3b70f8
Link:
https://www.unpac.me/results/f36040de-f070-4798-a43b-92c2325fbb80/
SH256 hash:
4e5e6eae99515398cb2f655fa173910aff00b428a5d420d884f30e274d1ee0e1
MD5 hash:
5d72195eba291a7a5ed51ab2ed8c9cc1
SHA1 hash:
572d588b1a2f63bbe48ad24f3d8b5e98ce95bea0
Link:
https://www.unpac.me/results/f36040de-f070-4798-a43b-92c2325fbb80/
SH256 hash:
55b6cb7467359aa5843d18211c5e11f2c0ec25e1e6b282596db73a65b23e1978
MD5 hash:
8127f9bf73396f3d650378c3a563f832
SHA1 hash:
4362224d0e1686b1c86cff1a5d283018154f797b
Link:
https://www.unpac.me/results/f36040de-f070-4798-a43b-92c2325fbb80/
SH256 hash:
8833bdbf56fe6dcc320379ca64ef23a576c34265052fe8c9e801511b348c952a
MD5 hash:
9aa1db54f584a9fe93626cfb3b7788c2
SHA1 hash:
3956a08280108d8124de8df347b66cf5b53560ba
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/f36040de-f070-4798-a43b-92c2325fbb80/
SH256 hash:
545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c
MD5 hash:
542095e8ac63397ee8b327dcf278fa5b
SHA1 hash:
31f1a04a2446f9fdd6f43cb3965b244f1311008f
Link:
https://www.unpac.me/results/f36040de-f070-4798-a43b-92c2325fbb80/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/545e2d4bcafc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/455959/

Comments