MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd
SHA3-384 hash: 84ce97d516e0dc5b4d2a0d3bdc5650d9f79f400ac0dabb30a6739e440c79778174658163eaa3d145f64ce937150eb665
SHA1 hash: d2091d4fa1146d2c0a59bda93ed1ff58e68773b4
MD5 hash: 95e2f700c217d459d64023f5099a212d
humanhash: may-queen-oregon-video
File name:Belge.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'137'152 bytes
First seen:2023-07-24 08:40:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:LFuQn7vHDgapsKpwD+7HcGcrsccNy3jpZ:LhvHDuEWsROjpZ
Threatray 5'199 similar samples on MalwareBazaar
TLSH T115358FD1B150CD9AED6B4AF1AD2AA53011A37E9C54A4C10C5AAD775B3AF3342309FE0F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Belge.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 08:44:20 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/8704d637-338f-404c-bfd3-cc0c00f4a42b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/430611/
Detection(s):
SecuriteInfo.com.Variant.Ransom.Loki.24223.21056.12171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a686c24-7e32-451a-bab9-1ec71bf2e31c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1278152
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd/
Threat name:
ByteCode-MSIL.Trojan.DarkStealerLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 07:29:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvfw3fgumkhkbea5btbeof3z3rtal4kjhbibcbi7p37qswdu5c6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df
AgentTesla
1423a5d778e4db72f847f8841bb1dc04babace000a2ac3047ec1b8403d797db7
AgentTesla
29f2cb40f49d921306012930991a3e95de4257ff280f91ece81a5eb6f29d4025
AgentTesla
71f89701ea665ab429c5fabb91f89053ca165bfc489b54d963e7c4cfbb3338f3
AgentTesla
a444429e646f262a1380c2ec47c7459010b36f1ded2174026584d43070974da7
AgentTesla
c9463aa342eb6e6aee71c05a6780f7a467dfb7e86330567a830ce490289bc236
AgentTesla
d017c9cd55ed118f77ab63b7369dcdac66376a19736bcfd26a228bac6e350fa2
AgentTesla
ee2da73179620f58484c7ce7052675cdd0e12d05ba43d7d1d0cde21ef8260383
AgentTesla
f8b9d5747aecadccc915a840b8eeb87080b852a3fe7f3382f3a0389162a4162f
AgentTesla
+ 5'189 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230724-klez1scd21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/10b1ee5e-e209-4c02-baf5-25cf3eb98636/
SH256 hash:
904b5efac7a970ba981bcb7c45be9a4b4bc990e4651f8b7f0175ba70901568ee
MD5 hash:
089147a24de72a72df0e5046acc83d44
SHA1 hash:
9732f78f634e7042a3fd2fac756a83342d03efc4
Link:
https://www.unpac.me/results/10b1ee5e-e209-4c02-baf5-25cf3eb98636/
SH256 hash:
d41665ad60e8ab9bbe33bbf99499c670475d3aac9baddda33c51d80f99379f9e
MD5 hash:
b0d25714ca6f12a600426d0ddd6e032f
SHA1 hash:
6aa9ff6aa9d97cf944384640eefb198b7a3c6794
Link:
https://www.unpac.me/results/10b1ee5e-e209-4c02-baf5-25cf3eb98636/
SH256 hash:
e6f6d4537b5a06dcaa639efb0f59ad138130ef4c513244de3546a5738c0ebed3
MD5 hash:
04c1c72fcdab1c3639a9bedb97400004
SHA1 hash:
0e02ae80df4243f81292cbfbed7037f171aaf544
Link:
https://www.unpac.me/results/10b1ee5e-e209-4c02-baf5-25cf3eb98636/
SH256 hash:
ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd
MD5 hash:
95e2f700c217d459d64023f5099a212d
SHA1 hash:
d2091d4fa1146d2c0a59bda93ed1ff58e68773b4
Link:
https://www.unpac.me/results/10b1ee5e-e209-4c02-baf5-25cf3eb98636/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430611/

Comments