MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 10 File information Comments

SHA256 hash:	976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05
SHA3-384 hash:	3d386f7b57ef334db8ed18c3880cbe6314ce5d1654db9e2d0186808a7ca7a612ff28255b871cd8554766a357dcd7e183
SHA1 hash:	4b6576737592a529e2d0abceb7e75d40c4430f3a
MD5 hash:	b4c3617243689d3e81414629b9d5da2a
humanhash:	purple-massachusetts-sweet-network
File name:	payment copy.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'584'576 bytes
First seen:	2025-02-11 02:42:32 UTC
Last seen:	2025-02-11 03:21:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	49152:CJssMilNJm6jpUmV3HnGbeSXKRezw1i2yACuAjENraI:vsMilDZVdSX4ez4i8CufNr
Threatray	5'826 similar samples on MalwareBazaar
TLSH	T1CCC50207FA8BC9A1CA81537AE8979E3847E8DD00664BC31A32ED3FAE35737199D41117
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	BastianHein
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

573

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

[__Virus__] EMAILMING BANK PAPER PAYMENT OF USD 8,8867.06.eml

Verdict:

Malicious activity

Analysis date:

2025-02-10 20:13:47 UTC

Tags:

attachments attc-arch arch-exec arch-scr evasion telegram exfiltration stealer

Link:

https://app.any.run/tasks/f0fa01b1-6ca4-4418-b734-feb5d166febb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.28315.134.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67aab96c49f32dfb0d82e86e

Tags:

underscore injector virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c0579b68-fd38-4218-bb10-8789c216089f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1611689

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05/

Threat name:

Win32.Exploit.Generic

Status:

Malicious

First seen:

2025-02-10 17:12:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 37 (54.05%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=s5w24t5z2up5zlovjjkvox6mexin4t623xzbe4kqtl6ffct7bucq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

8c60db4a7fb86932e648d746f942fe4d44b3f2af25acd838328a51e664e65d19

AgentTesla

cb67f2722f6f92410ac201428633fe5bab675359626e3aff660838cec8622699

AgentTesla

d8456ab4a369138177bc1e9cf0b3a32b3970dbea7c0aea45253f6e7260dcc9e8

AgentTesla

error

AgentTesla

f14291a5f69224e28fcb49f33d6e8da23a8ffd89927bad52571acd50e081621f

AgentTesla

+ 5'816 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250211-c7qdwavpen/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Agenttesla family

Suspicious use of NtCreateUserProcessOtherParentProcess

Malware Config

C2 Extraction:

https://api.telegram.org/bot5834796283:AAGrwY-Kkn2VgcNc7OCI3d_ssicyDA9JZcg/

Verdict:

Malicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/f286bfb2-f64c-4845-a276-28005329d056

Unpacked files

SH256 hash:

976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05

MD5 hash:

b4c3617243689d3e81414629b9d5da2a

SHA1 hash:

4b6576737592a529e2d0abceb7e75d40c4430f3a

Link:

https://www.unpac.me/results/89e882cd-3807-486e-ad05-3acf60e6b1ec/

SH256 hash:

17f207c59b9a78ca6c23c719724514517b53d49c6c0914da3469ae38a07c2a29

MD5 hash:

29a510cbb50c6ffa32ce7239fa1ce58e

SHA1 hash:

0f4e2c39398a8cdf6d01f707729ca83958a9a37d

Link:

https://www.unpac.me/results/89e882cd-3807-486e-ad05-3acf60e6b1ec/

SH256 hash:

8c60db4a7fb86932e648d746f942fe4d44b3f2af25acd838328a51e664e65d19

MD5 hash:

a43fb7b1b5b70f9f31f610848276fc83

SHA1 hash:

2241489daa9269e6822d5500b59f73c0eccc4609

Detections:

AgentTeslaXorStringsNet

MSIL_SUSP_OBFUSC_XorStringsNet

INDICATOR_EXE_Packed_GEN01

Link:

https://www.unpac.me/results/89e882cd-3807-486e-ad05-3acf60e6b1ec/

Parent samples :

5a97b51498c4db013229aa2f3c04931b9601baa24f7f85995a72bf9b12d2182a
3b233c5cc8b85a8020975ed736b93644fdae180f1d6f5190d91a3512e813ba8a
cf751cb4c13035d05f57da209d775efb4687be49d5861cc8a51ef78ed567c1a8
8c60db4a7fb86932e648d746f942fe4d44b3f2af25acd838328a51e664e65d19
976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/89e882cd-3807-486e-ad05-3acf60e6b1ec/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/89e882cd-3807-486e-ad05-3acf60e6b1ec/

SH256 hash:

46b7288849d7e45852c0ffa498227c079a74a2ed5fd945902e97a99e6b3aa017

MD5 hash:

780014338d4613f77987d5d3f684cb6e

SHA1 hash:

839a06faffb59afb034a4a2ffc68ca7016d5c0d3

Link:

https://www.unpac.me/results/89e882cd-3807-486e-ad05-3acf60e6b1ec/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/976dae4fb9d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/976dae4fb9d51fdcadd54a55575fcc25d0de4fdaddf21271509afc528a7f0d05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV4 Create hunting rule
Author:	kevoreilly
Description:	AgentTesla Payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Trojan_AgentTesla_a2d69e48 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample