MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba40edfef4bbd18ad6a596c678369f2a8ef335ced6ed96699124f164accf5243. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba40edfef4bbd18ad6a596c678369f2a8ef335ced6ed96699124f164accf5243
SHA3-384 hash: 33ee0870c8622eec038f2d33c0a635541481f8a6805a2fa731fdb4c550dbfb0ff28415c9c4f656217c402ecf8598281a
SHA1 hash: 37e609751c5c79f8c45d7cb4bf330e5fd93ead27
MD5 hash: bf01a4f9f453924638c552b997c7f9b1
humanhash: yellow-table-fanta-gee
File name:img90321.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:576'512 bytes
First seen:2023-05-13 22:52:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8ZJg1Bw4IILT8QnAR/XHg9qJDO8wrKl8xQO0kN:4TQnw/Q4JW+8qC
TLSH T11DC4025532F98F61F5368FF41534B98003F630A798F0E6580EF6A1C91EABF502A91B5B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter JaffaCakes118
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
img90321.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-14 00:32:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef196233-a00e-476b-a657-85d8faea71f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389084/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/646014d8ad8185420f897afb/reports/e2022e0c-d0b2-4100-b3f6-fd61c163aa19/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ba40edfef4bbd18ad6a596c678369f2a8ef335ced6ed96699124f164accf5243
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bffb3cd9-0b4e-4c37-afcc-1f039fbcc703
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232286
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865268 Sample: img90321.pdf.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 8 other signatures 2->55 7 img90321.pdf.exe 7 2->7         started        11 FjkedS.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\FjkedS.exe, PE32 7->31 dropped 33 C:\Users\user\...\FjkedS.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp301E.tmp, XML 7->35 dropped 37 C:\Users\user\...\img90321.pdf.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 img90321.pdf.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 FjkedS.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 api4.ipify.org 104.237.62.211, 443, 49695 WEBNXUS United States 13->39 41 192.168.2.1 unknown unknown 13->41 43 api.ipify.org 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 64.185.227.155, 443, 49696 WEBNXUS United States 21->45 47 api.ipify.org 21->47 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 73 Installs a global keyboard hook 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba40edfef4bbd18ad6a596c678369f2a8ef335ced6ed96699124f164accf5243/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 08:00:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjao37xuxpiyvvvfs3dhqnu7fkhpgnoo23wzm2mretywjlgpkjbq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230513-2t1p5aca51/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ebb42bbca5bd97754024846ca5888f1eaf6901796d334f0dc588ad5e8c930f11
MD5 hash:
e1009deb81f39bbbfd337c6e4e12fd91
SHA1 hash:
dd37c3ea31b6884af0cfc747bd9ca747e5ac533c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/1ab91b8e-d020-4e91-a2ca-7e00b69c6ee1/
Parent samples :
a4b5f7aed3df1aaffcac4423faf222b78da209a22d2f6bd74cdf46d2b1498670
ba40edfef4bbd18ad6a596c678369f2a8ef335ced6ed96699124f164accf5243
17fc4205571ea12188b9ed8b5659339e305ebc54bace4e3ba62c72c6b61cdfcf
aa8d4070795a05587fc8ad7dcbe4762a7f48e1bda165dbe12ccbe72412784757
SH256 hash:
6d6861789f1452139de1e860cdeb61d818590c40570e58d616f0a30018dc803f
MD5 hash:
dc62642b313291c74661a260be629fc2
SHA1 hash:
a9df87c0c839e403d3b41bf2180d761714650e68
Link:
https://www.unpac.me/results/1ab91b8e-d020-4e91-a2ca-7e00b69c6ee1/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/1ab91b8e-d020-4e91-a2ca-7e00b69c6ee1/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
d20da10bce073b35c5d74c31d4b40a792957a38384fc9ae4dd34eebd1b04f12a
MD5 hash:
bba4e51897ba12e2fe7989c975710dcc
SHA1 hash:
6b1157a74959c359d340c54479d0b19e4357e158
Link:
https://www.unpac.me/results/1ab91b8e-d020-4e91-a2ca-7e00b69c6ee1/
SH256 hash:
7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3
MD5 hash:
48f25f70764858909ab7fa96721f9d01
SHA1 hash:
1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd
Link:
https://www.unpac.me/results/1ab91b8e-d020-4e91-a2ca-7e00b69c6ee1/
SH256 hash:
ba40edfef4bbd18ad6a596c678369f2a8ef335ced6ed96699124f164accf5243
MD5 hash:
bf01a4f9f453924638c552b997c7f9b1
SHA1 hash:
37e609751c5c79f8c45d7cb4bf330e5fd93ead27
Link:
https://www.unpac.me/results/1ab91b8e-d020-4e91-a2ca-7e00b69c6ee1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba40edfef4bbd18ad6a596c678369f2a8ef335ced6ed96699124f164accf5243

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389084/

Comments