MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4f81112f3d6feee57e2440d34eccebd05236fa14c25aa2834e090dbf8d669b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	c4f81112f3d6feee57e2440d34eccebd05236fa14c25aa2834e090dbf8d669b6
SHA3-384 hash:	ff40e13881199516afa7cea29736cdb8b8e50b263a924c33585fe37d566bc6764b3b5998253904fa5b172ed92c16ce2b
SHA1 hash:	271f0596a92c1d3fcc27d43202b1bf66f6a5263a
MD5 hash:	20dda300ddb65bdcebabf5bd2e47e429
humanhash:	artist-grey-alaska-jupiter
File name:	20.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	312'320 bytes
First seen:	2022-05-13 12:00:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:AYRu2Mo+Efv8I1zd5wIJH5y5bv35hIIlfP7RGffOF32YCwM:pAHet1p5ZXyldlfdG3YGYC
Threatray	16'971 similar samples on MalwareBazaar
TLSH	T14E64D0727D82547DCAAB077104AA81C1FAB51FC73FA1870E719A730C1E31A6BAB93157
TrID	38.0% (.EXE) Win64 Executable (generic) (10523/12/4) 23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 16.3% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.EXE) OS/2 Executable (generic) (2029/13) 7.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	0x746f6d6669
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/270404/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/627e48967804b2efc492fe9c/reports/6af89c02-6564-4379-93d0-a8a54ff9b46d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a784a77c-e1ef-4a9d-84f8-5bb33dc5a287

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/993535

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c4f81112f3d6feee57e2440d34eccebd05236fa14c25aa2834e090dbf8d669b6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-02 11:46:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

128

AV detection:

26 of 41 (63.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yt4bcext237o4v7ciqgtj3goxucsg35bjqs2ukbu4cinx6gwng3a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5d672704a21b30d710a99381dd8d60bff67f68428f2b1b73ffd67169aa1cc487

AgentTesla

6bb7b6c331af0d1b959bfdaeb261e66f4564eb94e8921e771bd60379720dbe4e

AgentTesla

7e3e2a98f50147b5dc6027917bfea6e0e0cfbb885c1bb6680f8e9ab9d5557dc8

AgentTesla

b741f707e4cdb31043a72e099d9ccd5a47a9d5c44dce64e886ca631231d125cf

AgentTesla

cac661a3d567566e4b42455a3f128af9d0eb7e29af9d87259a2a0cc6d789b0d4

AgentTesla

d9fb44546c5b37b00bcdc500f1d8247523f8c2fb178ec29cef44bb40584479c0

AgentTesla

dfe305e21d22d684f5b30e4de4d8f8f6f8cd1fcfd6c3875fd62b8f9bdbf7c905

AgentTesla

+ 16'961 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220513-n6v4hsfbe8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1259122609:AAGwYhQ2ltsS2wsydEBpJSh4ZNwzZcy2NfQ/sendDocument

Unpacked files

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/d4591ce7-018b-460e-a59f-a51d0263f5bd/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/d4591ce7-018b-460e-a59f-a51d0263f5bd/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

019b0938891624167eb4ecbb02ced61fbf3236ee1ea8bc41f9e792c196c223eb

MD5 hash:

8b02686e92a554b9525c98064d9ef218

SHA1 hash:

b98cd8bf3cd6bd3a11a34cdb88fcb7a514987551

Link:

https://www.unpac.me/results/d4591ce7-018b-460e-a59f-a51d0263f5bd/

SH256 hash:

85149b884607f6bb7317c7fb893b8cabc550422ecd62bd59509a3d5fcf44b56d

MD5 hash:

a5baef204b1c2470b3692ead91645bcc

SHA1 hash:

636c826cd651b6817711353b140d7960731daec5

Link:

https://www.unpac.me/results/d4591ce7-018b-460e-a59f-a51d0263f5bd/

SH256 hash:

c4f81112f3d6feee57e2440d34eccebd05236fa14c25aa2834e090dbf8d669b6

MD5 hash:

20dda300ddb65bdcebabf5bd2e47e429

SHA1 hash:

271f0596a92c1d3fcc27d43202b1bf66f6a5263a

Link:

https://www.unpac.me/results/d4591ce7-018b-460e-a59f-a51d0263f5bd/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c4f81112f3d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c4f81112f3d6feee57e2440d34eccebd05236fa14c25aa2834e090dbf8d669b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/270404/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample