MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce
SHA3-384 hash: 8934aa2077aba7111f3740c1e7726cbfac4402fd066b94c849d0bdd42d76ed08e0c42d8b7c2b524c3e68eba7fab39a4e
SHA1 hash: 2247a678c3018d3a5a37f587aa8311685f63318e
MD5 hash: 7bc5658abae11700b1733ba008faed1d
humanhash: oregon-item-speaker-nineteen
File name:hesaphareketi-01.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:666'112 bytes
First seen:2023-09-21 13:51:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Q2iNNEisUH/h20w8j780Jr+Q3x/9bez5ai9NTfT4YcBAcXvbCs1IFr5mpHqWu:Q1XEWrws784rz9besclfT4WcXvmrApH
Threatray 5'731 similar samples on MalwareBazaar
TLSH T1C0E4231A76E40B46F12A5BF40A3866E14B71CE833163F3195CE7B9EC5B22747B5A44C3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.lbmuhendislik.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2023-09-21 13:52:50 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/25763c9c-960c-42f5-a27d-27ea98ea54f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450389/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650c4a898a37001eb1d7220d/reports/59b40594-6e07-4cb7-895e-ee82a97db054/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/49e626b1-260e-410f-b909-7b2760a30670
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312322
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 11:01:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 23 (69.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ompuvvfx4cbyciub7dkzxngjadwkannlctlmgaqvwm3eot5hnxha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4179cbf147e658854400967be76ca120278fe858fa44cc24cefea7578065b2ad
AgentTesla
5afc34ba8d87868898a975c8a82a6817739d9ff294fae609b2ca293ac5e478a6
AgentTesla
82ec3f48b64379387613c3cddcdd400f095161826bac92ce3f7907dc3807a9df
AgentTesla
8ad97b139323b7419ce2dda68a97a3552a05b6f951ebe9e524af0df51736e1cc
AgentTesla
8faf480c1ae966b6f4f2656368ec83dca9ab004811cf330083afc56043735a5b
AgentTesla
e0a9d1ee5f291098090a028934842e554f4bb482a0100077d909d3005430b2ee
AgentTesla
+ 5'721 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230921-q6d64sad22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a8a5fa695501c7d7e1c70dc9c7aa9dbaa98d03c4ded262947811cb883c3afe7d
MD5 hash:
200ab8e098a1e41ca357d3cdcfab4bdf
SHA1 hash:
dc2a6966c9b964286e41d8cc77d57bc5e41ed216
Link:
https://www.unpac.me/results/0929c649-84af-4a71-9a96-83b81c41f4c8/
SH256 hash:
8db18bb92192fbd3d9e9681e630af8b7eccd18c1048bc7756eebfd68349d3d69
MD5 hash:
ca69aab065d6742ef9170e63250d4c83
SHA1 hash:
c415eafeeadaf00cd75a213a18332b3646847e21
Link:
https://www.unpac.me/results/0929c649-84af-4a71-9a96-83b81c41f4c8/
SH256 hash:
f18ede1829f6537e67a2f4e8cdcd767ee6b50b8dab392ecf26c75ac34e1494fb
MD5 hash:
65d61d54ea7665a497fed9699cc9e7e5
SHA1 hash:
8418bb9f902beac21267a1a60ac8431a4179defc
Link:
https://www.unpac.me/results/0929c649-84af-4a71-9a96-83b81c41f4c8/
SH256 hash:
ab31e355b623e9753389df70092b6b3eaf52f5e5e8ef4cec007e77dede057597
MD5 hash:
5fa60992f8e17f90aa8dde827cd3d64d
SHA1 hash:
0ba55623170c0383137fde6ce71354acaffa7342
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/0929c649-84af-4a71-9a96-83b81c41f4c8/
Parent samples :
731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce
c0251e3f1226fad0b3c19e8a99c12d8689d1b6b7357f7138aa0ad450519e351b
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/0929c649-84af-4a71-9a96-83b81c41f4c8/
SH256 hash:
731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce
MD5 hash:
7bc5658abae11700b1733ba008faed1d
SHA1 hash:
2247a678c3018d3a5a37f587aa8311685f63318e
Link:
https://www.unpac.me/results/0929c649-84af-4a71-9a96-83b81c41f4c8/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/731f4ad4b7e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 731f4ad4b7e083812281f8d59bb4c900eca035ab14d6c30215b336474fa76dce

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450389/

Comments