MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 14 File information Comments

SHA256 hash:	c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b
SHA3-384 hash:	4f892ab3b0c434bb743f74196c168fd1b04f55f8a7dcbcb63d8bff5e1399b26ec4911665856d0b93c62920423b1f39ab
SHA1 hash:	a3f20f2f6fabe0721f324001bcebcbdbcce64f45
MD5 hash:	321fd1179174be3182b1ffd4a624360c
humanhash:	king-yankee-coffee-single
File name:	ndHq.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	792'576 bytes
First seen:	2024-01-16 06:28:01 UTC
Last seen:	2024-01-16 10:55:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'636 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	24576:SNmW+SUZaI7ooaad0pQ1yrwOHo68y0sikIyYNyta:aIEond0pQMrwOKy6kIX
Threatray	5'414 similar samples on MalwareBazaar
TLSH	T163F4121033A8476AC4BE43F95231681077F67B4B2116DB6CAE8664CC2D35F82875BF6B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	adm1n_usa32
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

360

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471061/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65a621f85d1422b20814323f/reports/fc446eb3-2411-4603-b635-2d845785beed/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/092e4477-c41c-4588-9430-e538590e8711

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1375171

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-01-15 16:41:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ykekwonj7v6yg7ocm3emagvktwjtfsz7axdxfquo7bff3ae365fq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

6e158f16f07e8ff0704f797423eee56096fa51306fa8e74ae0034559f9cbe81c

AgentTesla

b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb

AgentTesla

b916d475339eb0e64ad8e4e8bf897adb317c8add907ca4f72c1b7fda76cd8550

AgentTesla

dc5a6c0264dc1bd2b948b6bf82b6912e8d7a8e691f95a2dcac4f7f6f0a5abb1e

AgentTesla

ff7cea1471a8650fec0cf17b7006d68320702939027341f922389672bfe88115

AgentTesla

+ 5'404 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240116-g8c76affe6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

0d41dfcd10f2c87273ebc988eb24d459775255a05d4a19a15ef822278897016f

MD5 hash:

ef45dccce56cf6b47858f3a486c7a07c

SHA1 hash:

ec101859149308efd9940ecf200199c3aa24c9e1

Link:

https://www.unpac.me/results/47b24069-38ff-484d-92fb-2392227b6f9e/

SH256 hash:

761c365377b932c963dde44ad0132b693c24cd1060dffdf61b6a1fb02a29309f

MD5 hash:

ce16e1909361f772057254d947662c1e

SHA1 hash:

94248eca0d0982700be42638565c1bf951cc8ec7

Link:

https://www.unpac.me/results/47b24069-38ff-484d-92fb-2392227b6f9e/

SH256 hash:

21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818

MD5 hash:

440bb4db146ccb1161ac2bcf365d7676

SHA1 hash:

506eda511b46df6e95d86861e70fda81307f8623

Link:

https://www.unpac.me/results/47b24069-38ff-484d-92fb-2392227b6f9e/

SH256 hash:

3aa075934fb4970013a4d2aa5ac80ef55b6ad9061ca3e11b264dbfb695b3e036

MD5 hash:

6372b81823f99264d1430e910a5964d0

SHA1 hash:

44b7b1c28e2a3475ba0f4e0ff224589b754f61ec

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/47b24069-38ff-484d-92fb-2392227b6f9e/

Parent samples :

c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b
81d97028e544d68d405dcc13b01d5949e23b11cd8afb6aaae473de2cb8869bf8
84f0a1001a606072b86d8eca2c4d9ccefc71c38ff71d0aaa2f4ae003f802917b

SH256 hash:

c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b

MD5 hash:

321fd1179174be3182b1ffd4a624360c

SHA1 hash:

a3f20f2f6fabe0721f324001bcebcbdbcce64f45

Link:

https://www.unpac.me/results/47b24069-38ff-484d-92fb-2392227b6f9e/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c288ab39a9fd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/c288ab39a9fd7d837dc266c8c01aaa9d9332cb3f05c772c28ef84a5d809bf74b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/eae44cf8-b1db-4ad3-8f8f-9f367e544a11

Cape

https://www.capesandbox.com/analysis/471061/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample