MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2
SHA3-384 hash: 32bf32c073875c9b2049cd40fe86209fb780a74b885842026cefde0c37d99ce268a8bff399c2f249c9748a0e50c1f9c3
SHA1 hash: f9e1807345730644e4ef57862fc3709f38a36c80
MD5 hash: 6d7bedb94cf6eab15329728cca92a0af
humanhash: berlin-pip-eighteen-spaghetti
File name:04251452615625625.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'136'640 bytes
First seen:2023-07-24 07:50:06 UTC
Last seen:2023-07-24 08:32:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:AIlvJRBusyo2er8Usl/5J7tt85YRaHg2dON+wrdCPBaQl:DFup6Psl/3p6dOQGIBL
Threatray 5'186 similar samples on MalwareBazaar
TLSH T11E358FD1B150CD96E96B4AF1AD2AA53011E3BE9C54A4C10C5AAD775B3AF3342309FE0F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
04251452615625625.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 07:53:13 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/d20414c0-4d4f-44fd-ba04-9e207634a108

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/430597/
Detection(s):
SecuriteInfo.com.Variant.Ransom.Loki.24223.2615.1892.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/12c123c7-d1db-4b60-bd3b-f16625dc4717
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1278108
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2/
Threat name:
ByteCode-MSIL.Trojan.DarkStealerLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 07:05:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubayfsyyxg52maju2mkrr7xrjmjyyqfggg6qtqeyu7g5q5px3kra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03728e854a392ef693c6c2dbb39d240883db16cc580da2e95b9ca15197fb7d67
AgentTesla
085692e71ab34556d9c9ca011c81b75997225a5c2a9b6047d8d701e77ec23e06
AgentTesla
0ede8adc61c16ae2b85bb3d904addf4e9c508d351f14f36aae3d047e3a170fb6
AgentTesla
339b656f202364608d6b3aab91f86de7cc68ae0b599da1380cd7ff9b31fe7c43
AgentTesla
46b6fdea59c36bbb7d05b93343d11617e65aa3d76e9a2bf2c1d5969070364a29
AgentTesla
534d886457262e8dc1404e90dfaeeaff40735767639e044bd116b0adb93207c7
AgentTesla
5cc53602db09f6e14da3a1f8f6508649dc4fed90cbd6782b61d16d2600f61daf
AgentTesla
e213f4e03acb673bdf171735904353088ee43e966fefe127ab867079e77d4c16
AgentTesla
ed39354cc9cf8575417f0d810b93036e8e51c078e92195b33a44e4191c24e66f
AgentTesla
f2f7a27696bbccdc3c8c3e3f73dcb15c9045dbf76424e11b09146fd1b488dd9d
AgentTesla
+ 5'176 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230724-jptf5sbe53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
527a6fb15631ee12b89b875766f6dbedad901fa2c3a6c5db48f56ce67c2e99f9
MD5 hash:
71bffa8e37d7d6dd560533fa93bc4beb
SHA1 hash:
f97d80b6add40b916c02d8bc6a436a0644b8b539
Link:
https://www.unpac.me/results/b10239b1-4526-46fd-b984-4e1434559175/
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/b10239b1-4526-46fd-b984-4e1434559175/
SH256 hash:
5272230fb767caf8c6658b65158a92a5e5eb36d37da72aa27a4cfebfd8de2272
MD5 hash:
183071f5bc35a9b81cd664652b8ed676
SHA1 hash:
386ed18384058cfa460cbcb821e5cd39e2f85b8a
Link:
https://www.unpac.me/results/b10239b1-4526-46fd-b984-4e1434559175/
SH256 hash:
e6f6d4537b5a06dcaa639efb0f59ad138130ef4c513244de3546a5738c0ebed3
MD5 hash:
04c1c72fcdab1c3639a9bedb97400004
SHA1 hash:
0e02ae80df4243f81292cbfbed7037f171aaf544
Link:
https://www.unpac.me/results/b10239b1-4526-46fd-b984-4e1434559175/
SH256 hash:
a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2
MD5 hash:
6d7bedb94cf6eab15329728cca92a0af
SHA1 hash:
f9e1807345730644e4ef57862fc3709f38a36c80
Link:
https://www.unpac.me/results/b10239b1-4526-46fd-b984-4e1434559175/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a04182cb18b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430597/

Comments