MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4063ea8895f02a2e6c2ac34baf9bf6eabf2f1cb656256e946553d143d9d060a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4063ea8895f02a2e6c2ac34baf9bf6eabf2f1cb656256e946553d143d9d060a
SHA3-384 hash: e1d1fe0410ae4f92f6c5564783681a373b0cd0721cc463398f2f203df8bb15a6dfd012692cfe8642a05fb6687b630ad4
SHA1 hash: 9b13cf9c4438eafe08d3c8198ea680b0a52bc45e
MD5 hash: d0a9ab9210d13b671164e15a85492060
humanhash: delta-cup-tennessee-music
File name:L9d4lSc9LF4Yv1t.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:940'544 bytes
First seen:2021-09-01 21:51:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:bXz/F84DtPASSVdYiO5GpS4u6C5oWpf0y3k0Vb/AElj8iDxLBYR1p2Z3+Xf6Meit:bXzlIvRtqFaJxLrhzlJ
Threatray 9'390 similar samples on MalwareBazaar
TLSH T13615DF3DAD2626336FA9B17CD4E6194EE79414EB23714DE9D1E2B38C200B917B2D631C
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
L9d4lSc9LF4Yv1t.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-01 21:54:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d38aa25b-ad4d-47d3-96f1-35270a8262f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184581/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f1a079b-fb11-4a54-a2e1-d195831f7a20
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843667
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4063ea8895f02a2e6c2ac34baf9bf6eabf2f1cb656256e946553d143d9d060a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 21:29:10 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qdd5kejl4bkfzwcvq2lv6n7n2v7f4olmvrfn2kgku6ripm5ayfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12a274ddd6b7467b4e9374d80a3d3fd4e8cfc576da550801adf0bc6b6617bb07
AgentTesla
1dd9b2ee10e6a2b338d8e743d22226f7895e754b0ca2dd66ff5c8461fb376eec
AgentTesla
23cd04354a8a5eea8fc0908ae207a8d8c0449dd038cca3370e34d67cd74d2a77
AgentTesla
528fc6d3398f8379da836b5a3fa85da6dfd8aec284ce12a04abfa32d6d78da14
AgentTesla
54900b228c2eec7f6ee4dbb946cd01c7f9b5675a3694e906267664153b6a3097
AgentTesla
572f4fd77cd3857dea37a6fcd49e4ff65ed30bd960c341988ca81fd2338ca754
AgentTesla
68502a80bec0322e11e38a6e52cda66a56d649c386fa37dd8ee6729539c519ea
AgentTesla
d33dac65118a88b15580c028deba8f4ecc95ff7d0a316259612264a0b6e06d11
AgentTesla
+ 9'380 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210901-djrdtxd916/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a0140054f8b2cc07968bd9a769997b448594047ad8b67454e6ea42f29558a1a1
MD5 hash:
69b398dc9d1c9a7a96fb56f16acab26c
SHA1 hash:
77848bb35ee21ee1ad75b916e052fd2bed21b192
Link:
https://www.unpac.me/results/dda0c4dc-31ea-435c-8bbd-09ead297f49f/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/dda0c4dc-31ea-435c-8bbd-09ead297f49f/
SH256 hash:
a2f3854582e30546780e4a6e0628b18edec852758f95c61c6406084aa2af23cd
MD5 hash:
cc3ad3d429a870d08211eaabdc5029a6
SHA1 hash:
2ff114cf3648e07a9bf5ef7bb6f8e6746ef7399d
Link:
https://www.unpac.me/results/dda0c4dc-31ea-435c-8bbd-09ead297f49f/
SH256 hash:
d4063ea8895f02a2e6c2ac34baf9bf6eabf2f1cb656256e946553d143d9d060a
MD5 hash:
d0a9ab9210d13b671164e15a85492060
SHA1 hash:
9b13cf9c4438eafe08d3c8198ea680b0a52bc45e
Link:
https://www.unpac.me/results/dda0c4dc-31ea-435c-8bbd-09ead297f49f/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d4063ea8895f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4063ea8895f02a2e6c2ac34baf9bf6eabf2f1cb656256e946553d143d9d060a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d4063ea8895f02a2e6c2ac34baf9bf6eabf2f1cb656256e946553d143d9d060a

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184581/

Comments