MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 604883f675359fcfd0a2915294076c1a9db5e3d541a2183ee77680d5809da18e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	604883f675359fcfd0a2915294076c1a9db5e3d541a2183ee77680d5809da18e
SHA3-384 hash:	0cfb34ea9722aaca561aeae15d2804bb3b3e7b39d69a6703f6d82c3bdaab8be1a435817f5fec97be542e04a12a375c99
SHA1 hash:	12e3c4f70c520602d504b70452c27ce29ad74bfe
MD5 hash:	dc8340c9875e763b90bb58d4654233b0
humanhash:	fourteen-glucose-tennessee-winner
File name:	LPO-20257723_ Al Laith.doc..exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	675'840 bytes
First seen:	2022-04-12 05:31:21 UTC
Last seen:	2022-04-12 05:38:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:JkKUk65WC4qfrHhs/zYy4KeNjknGg465IoAS+h8RJh/0jgVgz:JkKX65WZqDkmKeu+wdm
Threatray	16'019 similar samples on MalwareBazaar
TLSH	T110E4E12165E88615D7BE17BDF831408087FA3E276816E3B85A85F2D52DB33C08E467B7
File icon (PE):
dhash icon	0f47090c0c0a470f (23 x AgentTesla, 5 x Formbook, 1 x SnakeKeylogger)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/262849/

Detection(s):

SecuriteInfo.com.Variant.Strictor.267077.166.13373.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

expand.exe obfuscated packed

Link:

https://www.filescan.io/uploads/62550ed3eab80a7a6cfdb57a/reports/23f9d042-2cff-416b-a7ec-7bdda696761d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c30c79d6-a9e5-46ec-885e-be259476e2a4

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/975055

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/604883f675359fcfd0a2915294076c1a9db5e3d541a2183ee77680d5809da18e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-12 04:57:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 42 (26.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mbeih5tvgwp47ufcsfjjib3mdko3ly6vigrbqpxho2anlae5ugha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4af88b1274a0eac4b1adccfde7a51efd4a01c13e668c73dbe61b5678b7d2c26f

AgentTesla

7c9db09b727fcd8d7cad535a77911b8b9fc0c2508366c9f7a90e1f8a8c6ad1dc

AgentTesla

ae0c09e5560968c147bfd8772fb490c9f867b37e14603021f9e2162947ed45e4

AgentTesla

ff0172ea281631b1b33bb1f5693ca927b02d448616c3bc420c2dcb99ac68ec04

AgentTesla

+ 16'009 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220412-f8aatsaec7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

8c59c7e4b61d89407eda57b82aa3617b0809bf802bd265aa0ec742c756103388

MD5 hash:

c66f7b70a3c71b678132ceabff7a69ad

SHA1 hash:

f642615e273c96cef96dc4243d0bf8e5b7afee0f

Link:

https://www.unpac.me/results/08c9171c-e168-45e3-a48d-adbcb04cab6d/

SH256 hash:

b4364bba1d1c0f9cd4f07899b646ab90c1fcee31a985cea8377960da1692903a

MD5 hash:

42d633e43e81a4b3b1e7c3e61a2bbcb4

SHA1 hash:

9e459eedfcd7d56b3917372066a55279e35a60fc

Link:

https://www.unpac.me/results/08c9171c-e168-45e3-a48d-adbcb04cab6d/

SH256 hash:

b80104382a13cef7ce3c01a989a17296ba6a9a3d4eb5f314be060591179a06dd

MD5 hash:

56e5a92817912ae9adf039e2fd2607f4

SHA1 hash:

977480b2d41e6771b4d5087217680f16abc52649

Link:

https://www.unpac.me/results/08c9171c-e168-45e3-a48d-adbcb04cab6d/

SH256 hash:

0d271cb581c7830026f5eabb9d96433058dcd460ffd5b625c010dde1ac08a8af

MD5 hash:

73eb9d8b6a851ec3b2edb645f546f898

SHA1 hash:

450517f4e4846dc1760c6a7f5623459b5118aa5e

Link:

https://www.unpac.me/results/08c9171c-e168-45e3-a48d-adbcb04cab6d/

SH256 hash:

604883f675359fcfd0a2915294076c1a9db5e3d541a2183ee77680d5809da18e

MD5 hash:

dc8340c9875e763b90bb58d4654233b0

SHA1 hash:

12e3c4f70c520602d504b70452c27ce29ad74bfe

Link:

https://www.unpac.me/results/08c9171c-e168-45e3-a48d-adbcb04cab6d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/604883f675359fcfd0a2915294076c1a9db5e3d541a2183ee77680d5809da18e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 604883f675359fcfd0a2915294076c1a9db5e3d541a2183ee77680d5809da18e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/262849/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample