MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d42a484bf737e8207f34da4c145571f8cc387e941f85d5b9c5fd07b51094bc59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d42a484bf737e8207f34da4c145571f8cc387e941f85d5b9c5fd07b51094bc59
SHA3-384 hash: b3774fc510a0deb89b6a7b4624e310b15b7263ba30cc3fb214f2a9a584f59809210f5ec4279a6d9c36e5aa6aa9d2ea6e
SHA1 hash: 4091b9bc4a764ff228b1efe160b1cca5fe8d9095
MD5 hash: efa53d48a12ae904fbe8b8d1cb5c6bfd
humanhash: william-beryllium-uranus-venus
File name:Optus LLC Quotation Request.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'540'096 bytes
First seen:2023-06-12 09:37:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:zFROyqGUL8sjKvG43MHsNkaNGgwgpqrGrFrHykecOI34vDnhQ/hbHEm3QN0zaR5t:TNqGo8/vzMARGgwgpqrGr5y7nI3KDnae
Threatray 1'005 similar samples on MalwareBazaar
TLSH T1BF65122863FB476ED4BB6FFA1930027493FA28657577E3460E9270C99D26F150B40AE3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Optus LLC Quotation Request.exe
Verdict:
Malicious activity
Analysis date:
2023-06-12 09:40:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/608932b1-691f-4bab-8d64-f53e9d1432c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/397883/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67432050.22494.14938.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6486e78775982cb51ad5b18c/reports/3a94a9b4-0afc-4464-af31-fe77b5fbc6ae/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d42a484bf737e8207f34da4c145571f8cc387e941f85d5b9c5fd07b51094bc59
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/619f114a-b1a1-4f96-b907-5862192b34e5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1252865
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Drops PE files to the document folder of the user
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 885885 Sample: Optus_LLC_Quotation_Request.exe Startdate: 12/06/2023 Architecture: WINDOWS Score: 100 102 Snort IDS alert for network traffic 2->102 104 Multi AV Scanner detection for domain / URL 2->104 106 Found malware configuration 2->106 108 9 other signatures 2->108 9 Optus_LLC_Quotation_Request.exe 7 2->9         started        13 qxCYKFF.exe 3 2->13         started        15 Synaptics.exe 2->15         started        17 EXCEL.EXE 2->17         started        process3 file4 72 C:\Users\user\AppData\Roaming\qxCYKFF.exe, PE32 9->72 dropped 74 C:\Users\user\AppData\Local\...\tmp7F56.tmp, XML 9->74 dropped 76 C:\...\Optus_LLC_Quotation_Request.exe.log, ASCII 9->76 dropped 110 Antivirus detection for dropped file 9->110 112 Multi AV Scanner detection for dropped file 9->112 114 Uses schtasks.exe or at.exe to add and modify task schedules 9->114 116 2 other signatures 9->116 19 Optus_LLC_Quotation_Request.exe 1 5 9->19         started        22 powershell.exe 21 9->22         started        24 schtasks.exe 1 9->24         started        26 Optus_LLC_Quotation_Request.exe 9->26         started        signatures5 process6 file7 58 ._cache_Optus_LLC_Quotation_Request.exe, PE32 19->58 dropped 60 C:\ProgramData\Synaptics\Synaptics.exe, PE32 19->60 dropped 62 C:\...\Synaptics.exe:Zone.Identifier, ASCII 19->62 dropped 28 Synaptics.exe 19->28         started        31 ._cache_Optus_LLC_Quotation_Request.exe 15 7 19->31         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        process8 dnsIp9 118 Multi AV Scanner detection for dropped file 28->118 120 Drops PE files to the document folder of the user 28->120 122 Adds a directory exclusion to Windows Defender 28->122 38 Synaptics.exe 28->38         started        42 powershell.exe 28->42         started        44 schtasks.exe 28->44         started        46 2 other processes 28->46 88 boydam.com 43.230.160.249, 21, 49708, 49709 NUSANET-AS-IDMediaAntarNusaPTID India 31->88 90 ftp.boydam.com 31->90 92 192.168.2.1 unknown unknown 31->92 124 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->124 126 Tries to steal Mail credentials (via file / registry access) 31->126 128 Machine Learning detection for dropped file 31->128 signatures10 process11 dnsIp12 82 freedns.afraid.org 174.128.246.100, 49716, 80 ST-BGPUS United States 38->82 84 docs.google.com 172.217.18.14, 443, 49711, 49712 GOOGLEUS United States 38->84 86 xred.mooo.com 38->86 64 C:\Users\user\Documents\~$cache1, PE32 38->64 dropped 66 C:\Users\...\Optus_LLC_Quotation_Request.exe, PE32 38->66 dropped 68 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 38->68 dropped 70 2 other malicious files 38->70 dropped 48 ._cache_Synaptics.exe 38->48         started        52 WerFault.exe 38->52         started        54 conhost.exe 42->54         started        56 conhost.exe 44->56         started        file13 process14 dnsIp15 78 ftp.boydam.com 48->78 80 boydam.com 48->80 94 Multi AV Scanner detection for dropped file 48->94 96 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 48->96 98 Tries to steal Mail credentials (via file / registry access) 48->98 100 2 other signatures 48->100 signatures16
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d42a484bf737e8207f34da4c145571f8cc387e941f85d5b9c5fd07b51094bc59/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 08:38:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qveqs7xg7uca7zu3jgbivlr7dgdq7uud6c5loof7ud3keeuxrmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122
AgentTesla
069d0eb7f3e3d5bda86b1b2782d6a0cbf16da50a28b2738c0e91252a3ed34eba
AgentTesla
32858494af5f8ee5f49b7d67894800a340dab412adf1b4326059bb14916c8659
AgentTesla
466152ce57063783bc73fe86736ecebcd168335df5212c71f6a15cab3cc2b5ab
AgentTesla
62f1922f673fdb34aea18eac783649154f1bdc646410052e3b72c4ebe6c78f37
AgentTesla
6a0e8225d29c6fddb83229f2a1c586f9dcf6bf3ee1edb58f915a9f5a5973f0e7
AgentTesla
8b69faa6b135b49e2a138b9e536e5a5146a4ab21c61dca8df7ff97062164732d
AgentTesla
c7b06e2840e703c98fbe1fbfd9f33f5478e58840112d85c1e94c27a34474c95f
AgentTesla
f864fe5ce96e3e05ea0eac5c7feea7f23bc3c03935faa2d699dc7d5f27d963bd
AgentTesla
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
AgentTesla
+ 995 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230612-ll3lrabh21/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
SH256 hash:
d11040e8d9617a504d2a48e63c276251e9500746aedf7673c60e1aa4fe5d0289
MD5 hash:
0f84def2cee9bdde7ba161d16f501505
SHA1 hash:
89008c9350347802be0897f55e08ca5f8afc8740
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
SH256 hash:
1d27fb866f43be656ccd800054405f8681ed77d0d90f440e0877c7740ddf7244
MD5 hash:
dea93e3bbaf3c4e335bb182499505d3d
SHA1 hash:
539796e66998997ef89764f9878cee2b939da812
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
SH256 hash:
0b5e1510c0b1c669c99c2e54c8ed750b3041c3f2a4e8bbcbd72b5a059d6c8b87
MD5 hash:
b24659673e8961d85e80c15c94305961
SHA1 hash:
4f5471c2016daecc0b6776d6f46819ace7f311b2
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
SH256 hash:
4d82c1cf3fe5d563d144b3d5b376210d6d0edbccdf4c6e2650d7ab45e4c275f4
MD5 hash:
954bdca3376b9a68bda283bb23802f00
SHA1 hash:
17589e3866d7a72e8c61a718a83716534ebd06c3
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
SH256 hash:
f1a3d325ce6e8e069cb9d2be1ae616dcd40c457be93336c08f20965e4f90df55
MD5 hash:
885fc3055910e6a9ec0a450e7ebd2372
SHA1 hash:
8ee5de8d6697bcee7f35f038e659e2889dc21989
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
SH256 hash:
d42a484bf737e8207f34da4c145571f8cc387e941f85d5b9c5fd07b51094bc59
MD5 hash:
efa53d48a12ae904fbe8b8d1cb5c6bfd
SHA1 hash:
4091b9bc4a764ff228b1efe160b1cca5fe8d9095
Link:
https://www.unpac.me/results/3aa53942-6756-409d-a455-475c1797fd78/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d42a484bf737/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d42a484bf737e8207f34da4c145571f8cc387e941f85d5b9c5fd07b51094bc59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d42a484bf737e8207f34da4c145571f8cc387e941f85d5b9c5fd07b51094bc59

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/397883/

Comments