MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4870350597d2092b5c4c7073cd4538734693a18833ff3e1c8325f19363bd96f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4870350597d2092b5c4c7073cd4538734693a18833ff3e1c8325f19363bd96f
SHA3-384 hash: af699fb2d28b92c0b2c1b40cb9358212ac38d71459d82cea917a446493de25271f5fb22f3a58b2c90da339bd12993a69
SHA1 hash: 57a7d719ca3b4a1895c0d82a039ad94aa7b64c6f
MD5 hash: 3b1da3d3a0db8376aa3062cdc693c377
humanhash: massachusetts-mississippi-speaker-april
File name:Apr 2022-Bank account change on HSP Valves Group Letterhead v5 Signed.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:820'736 bytes
First seen:2022-04-08 11:40:08 UTC
Last seen:2022-04-08 13:13:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:WrBB6ITOv93UCpOTOv93UCpeqIx1EH5y4hagv/b/E:EBB64Ol33pqOl33pXG14y4A+j8
TLSH T1DF05E0362BDC1AA9FABE4B765A7500A193F1BE576C20D65F5CE142CC09B0F01DB35B22
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Apr 2022-Bank account change on HSP Valves Group Letterhead v5 Signed.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-04-08 12:00:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c05bcb5-2ac4-43cb-a2e0-7b4d5af65d44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262137/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.29946.15350.10556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a file
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/62501f54d53a7479dadae97d/reports/19aab6f9-ea85-48ba-ad73-0e1242a74582/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OutSteel
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7800cdc1-a3fa-4fb9-a098-e4506840b234
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973121
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605608 Sample: Apr 2022-Bank account chang... Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Yara detected AgentTesla 2->51 53 7 other signatures 2->53 8 Apr 2022-Bank account change on HSP Valves Group Letterhead v5 Signed.pdf.exe 6 2->8         started        process3 file4 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->29 dropped 31 Apr 2022-Bank acco... Signed.pdf.exe.log, ASCII 8->31 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->55 12 cmd.exe 3 8->12         started        signatures5 process6 file7 33 Apr 2022-Bank acco...d v5 Signed.pdf.exe, PE32 12->33 dropped 35 Apr 2022-Bank acco...exe:Zone.Identifier, ASCII 12->35 dropped 61 Uses ping.exe to sleep 12->61 63 Drops PE files to the startup folder 12->63 65 Uses ping.exe to check the status of other devices and networks 12->65 16 Apr 2022-Bank account change on HSP Valves Group Letterhead v5 Signed.pdf.exe 2 12->16         started        19 PING.EXE 1 12->19         started        22 PING.EXE 1 12->22         started        24 conhost.exe 12->24         started        signatures8 process9 dnsIp10 41 Writes to foreign memory regions 16->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->43 45 Injects a PE file into a foreign processes 16->45 26 InstallUtil.exe 2 16->26         started        37 127.0.0.1 unknown unknown 19->37 39 192.168.2.1 unknown unknown 22->39 signatures11 process12 signatures13 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->59
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c4870350597d2092b5c4c7073cd4538734693a18833ff3e1c8325f19363bd96f/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 05:49:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
47
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ysdqguczpuqjfnoey4dtzvctq42gsoqyqm77hyoigjprsnr33fxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220408-ntek1ahfdn/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c611a6ceb263401ed18ff93961bd6d0cdf8757e48d8e76b13943e85b9d3b5a0b
MD5 hash:
f9b293305bd04eee511c0ffd0e7f29d7
SHA1 hash:
fd981a9537a903422311f582defc1c8fd97248af
Link:
https://www.unpac.me/results/11ab3cbb-ad79-4898-be63-35b8e3267b23/
SH256 hash:
7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a
MD5 hash:
72403055ee098f50bcc8a238fdbef878
SHA1 hash:
eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d
Link:
https://www.unpac.me/results/11ab3cbb-ad79-4898-be63-35b8e3267b23/
SH256 hash:
f7cfefeeb635a25ea33b8921d2da4b46d0f301fded20f297921769ad664760e5
MD5 hash:
fc05ef30d9d06337930de3d0cd958426
SHA1 hash:
b1b9ae6702b163a47fcb6151eb9cd45c337afa38
Link:
https://www.unpac.me/results/11ab3cbb-ad79-4898-be63-35b8e3267b23/
SH256 hash:
21da0a74bf4268a9ce468230c1dfa9b1ac8ae5d59bc9fa3c9a5c41d5c7684fd2
MD5 hash:
796fb628f699a0d18448eb2e4ef11b69
SHA1 hash:
7aa8b830afc32a9a7ea5c0f79c894cf42c49df64
Link:
https://www.unpac.me/results/11ab3cbb-ad79-4898-be63-35b8e3267b23/
SH256 hash:
631548917f09d362047c8851388d93ebe0f5353645d6a720cb45d95263418a98
MD5 hash:
8d56970925ef17aa101200d4bfde4a43
SHA1 hash:
64058cd35df60c130322b6db3c88002b32483e77
Link:
https://www.unpac.me/results/11ab3cbb-ad79-4898-be63-35b8e3267b23/
SH256 hash:
c4870350597d2092b5c4c7073cd4538734693a18833ff3e1c8325f19363bd96f
MD5 hash:
3b1da3d3a0db8376aa3062cdc693c377
SHA1 hash:
57a7d719ca3b4a1895c0d82a039ad94aa7b64c6f
Link:
https://www.unpac.me/results/11ab3cbb-ad79-4898-be63-35b8e3267b23/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c4870350597d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c4870350597d2092b5c4c7073cd4538734693a18833ff3e1c8325f19363bd96f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262137/

Comments