MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789
SHA3-384 hash: aace265a6c95756231adf1b258b4693cdde9076f368c4621d4b3a0dcf18f6137ef0d2cb355a27d34d6329d967e6084bd
SHA1 hash: a717ee643a2d55a59aad2bcc7f00f36be9b7f5ab
MD5 hash: 2453d91d5e1b3ba88a35d9b3776e2e8c
humanhash: princess-video-gee-violet
File name:PO-7654321.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:779'776 bytes
First seen:2023-02-07 15:21:14 UTC
Last seen:2023-02-07 16:54:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QEO4gMruVR2lWPatYntDTYBEy/7uHT2sOrx7p58lCrd4gyQapWMsEPA:Qb4gMruPoWCtGtWjuHIrxN5IC54TWMHA
Threatray 24'829 similar samples on MalwareBazaar
TLSH T192F4234D53B48610DACD8AB6DCD904391375962CB261F32E9EE850EE2B23FA14B43B57
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-7654321.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 15:22:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff37b4bb-484e-4633-a5d2-e85e65a23031

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361415/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65392263.9484.30579.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e26ca096add6d1cf49f05a/reports/678bb634-658c-4682-90f8-4cc251afe40c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5821c9b6-7b57-4e4a-8ffb-1cf518e8b815
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167815
Signature
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 02:56:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqa4fgnonkvehjkz2rchcrelhqlxvhluqkmdf7wyr3ptxvxf46eq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ebf4340d56b8018e2d6655311da863e7d3351ac9bda8438f2a42f51139d98a6
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
13ed10331157947caf6eac920f6b467c3170eaa5022b704d4596c0f397f8654c
AgentTesla
30c0d3fd2e08ec5373038ad0b90f1f1cb1a475661bafcc8a110e965bcc9d8f21
AgentTesla
6941a5420e23e7309cc09e6ffebf847a7c781dbbb726996a2b3d36340d347819
AgentTesla
a1354865cf7041fa2b63de856723685ba76d632d7e81b20d30402533f76a88e3
AgentTesla
e00c81eaf51d453c0a837df83d38b33cc4217bc40473a5a927c2434a1520a520
AgentTesla
f77bee7347c6139e6ee4f9410f5ff2305d6d5338f050926b678c22cfd90f19cd
AgentTesla
f8fa4a68488cfbb2c7130ee2637393f65e6a2585bf9171bcda0f0f7a7e4cffb6
AgentTesla
fb6e094c6f41acd5f135b06f8734814f742bb77fd6066598c06c3a679edb113f
AgentTesla
+ 24'819 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-srw5gscd25/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/
Unpacked files
SH256 hash:
41a103630f1241523fbcc596d430fa522619c5ce23a67a4be62f585525ab4824
MD5 hash:
75297b3a6754147bbf67e343788144be
SHA1 hash:
f5a0600347ef5f9cd704a4d67264de2c8bd53269
Link:
https://www.unpac.me/results/d468f182-98eb-4a4d-927d-9ba1cdd50c77/
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/d468f182-98eb-4a4d-927d-9ba1cdd50c77/
SH256 hash:
881207aeb4739ff5897dfa07215f57e6dac8481bd05e3f42c81f43de3fc0ac45
MD5 hash:
d92a06bebaa2e64c56be17f00aaf61bd
SHA1 hash:
cebb63817143c4b218cc6cb26bbc68ce02e96fd2
Link:
https://www.unpac.me/results/d468f182-98eb-4a4d-927d-9ba1cdd50c77/
SH256 hash:
28a96f41cd725f09cee3474b7e5761ca707c0fea48b7664848b63c20bafece59
MD5 hash:
7ffe9f83fb31b3170a51944b908e0bb1
SHA1 hash:
64b46a94b6cc972d6679d0be24f1074299e087cf
Link:
https://www.unpac.me/results/d468f182-98eb-4a4d-927d-9ba1cdd50c77/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/d468f182-98eb-4a4d-927d-9ba1cdd50c77/
SH256 hash:
c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789
MD5 hash:
2453d91d5e1b3ba88a35d9b3776e2e8c
SHA1 hash:
a717ee643a2d55a59aad2bcc7f00f36be9b7f5ab
Link:
https://www.unpac.me/results/d468f182-98eb-4a4d-927d-9ba1cdd50c77/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c401c299ae6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/361415/

Comments