MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40
SHA3-384 hash: 0469d36d44bd5ec0082a3bc3ca1d3345e9558c27c7d345d177a8b2e22449e5afdf9d8888486dc944f8036165a532fc81
SHA1 hash: 7d7d546bd5d42e7d829cbbbdafeff4f966b957ea
MD5 hash: 1fa4a5c689de43891a6fc6749c8b8a03
humanhash: fanta-whiskey-michigan-lemon
File name:OC & COA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:944'648 bytes
First seen:2025-04-02 07:50:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:Qj2n6niR7shMTkEgYVGF7nhKiYtgn/Z6cvTXI5WANQtT:QjbniRAhQnVGF7h+en/I4TXeNQtT
Threatray 4'320 similar samples on MalwareBazaar
TLSH T1A915D084AD944E53CAB21AF51642DFF0EBB70D86A7C3C58B9BCB3F9B361A3485D14481
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon fcf0e8c8ccf0f0d4 (2 x AgentTesla, 1 x njrat, 1 x SnakeKeylogger)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
42a4aabdd58575f684b3bcf47947b9420931b5a90744e07080f39792ae2dca22
Verdict:
Malicious activity
Analysis date:
2025-03-24 15:23:20 UTC
Tags:
arch-exec stealer exfiltration smtp agenttesla ultravnc rmm-tool
Link:
https://app.any.run/tasks/6c7f4719-49a3-4352-bbf3-858fd267093b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/97/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e178e6bb84e066269e7b4e
Tags:
virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67ecec5ef274bf2d8e2de4b3/reports/c6df4299-cb89-4cbc-b9cd-25337c2932fd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/099f3d31-b88a-42f7-85e2-874d03ae7515
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1654377
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-24 13:11:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2sxh46ioo53db4zmvs4lff22i6fhawhr4gibbo27fv7drhwwjnaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
114352a381c20bbe3de6bdf0a37b796dbd2858f1e1f83edd91364bc294db0ae8
AgentTesla
1eee47020391da55dc802775cfaee097529916e00a309c48fa9973fa9dd7c7cf
AgentTesla
3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72
AgentTesla
8f6952d8695ee78e7c79808b37e18213d29fc67db10b4c7872259e153256195f
AgentTesla
be97e1d540ea8ba81adbd8873a4ef6123f6d5d3ff51fa010e432ae7e4cad8e99
AgentTesla
f94a62b2332593b4de3797cb1fb3127a682f2623d12e5f731157190526f6ef5c
AgentTesla
+ 4'310 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250402-jppsyswnv7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/27586e79-f096-4dfe-a34c-51e45fee2065
Unpacked files
SH256 hash:
d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40
MD5 hash:
1fa4a5c689de43891a6fc6749c8b8a03
SHA1 hash:
7d7d546bd5d42e7d829cbbbdafeff4f966b957ea
Link:
https://www.unpac.me/results/b5c72807-0380-4ac9-8a2f-92c333ea91c6/
SH256 hash:
8ede82dad7d33c605dad149b89e850ded7cd201c07148fead22226d1e476712a
MD5 hash:
87947a3f59f82118b8ff1571e5491d25
SHA1 hash:
01dabfafb490b7353a593be59ca3a62bbd3f0db1
Detections:
AgentTesla
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
win_agent_tesla_bytecodes_sep_2023
Create hunting rule
Link:
https://www.unpac.me/results/b5c72807-0380-4ac9-8a2f-92c333ea91c6/
Parent samples :
2b44c9721b8bb2b4ff211c079e010a9e6c0f612a62e6f6e6aa6437068f00a46f
6e415aaed2f0cd6af7f8a6a12adf8fed6c0a463411a5bfc5b7406df778025228
2999ba115d43dd82cf961003228e5c122ed46e1124d76d3e149632a428898082
33887e89b9bee91752a8ce8ba3090b7440f9be51454902a42c287fe87f87062a
0d0bc3db92e427e4774d5163e82bcb2c43abea5459d2541ab7da179e1dd41364
9e783a78671bd03144b0def1540d93a92dbb8fcdd5a75bfa26a1d11e6c613bff
4e6003b77cd84ef993df8a6d25b84af2ea485ec61c501b77dde3891ecf2ca2a5
ad4cfc06bad357de4ab58c9c01bc2e7015fd1944e35a206ef8b053611119f04f
8625d1a95c9e76d0cc6a7784fece1ab7af594e95f75d42da66f78ec7d076f3f4
d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40
1def028a8d3a11f2e0069cf1b22f68ee8ef54d6c05d4e7f90f1a4966579fd8ab
8932c8fb9e45050d69d5ef9afab581830877111388ebb88953a83775402a514c
8a29df075f25088cb64a71e5bb3dde77ee7868f674bfc2a70c418c1db5df0dc4
2c8b9e610654051416e50f854aed33feb17f7e4c7a03bbb9f24f54a1fe840263
907f26dc07aeb383f8c628559a6357528780aee16f719e107873cd1b8854ab1c
9ed50f20e90c320a451dbb770f0dfd976a4c2b2383394405e40ff24bf25c8de2
d716a426e3ce97de603f54e0f4d7244533ba48d2bc8b1d4cc476037373710f3d
SH256 hash:
e30b06582123712deedbbde3e7500b084181655046409c8182af6d10b65a521b
MD5 hash:
65dc8132d6526960d28f5548a0219835
SHA1 hash:
0f1f996a18bd4f96fd077d8cd3d1863674554fe8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b5c72807-0380-4ac9-8a2f-92c333ea91c6/
SH256 hash:
cf68f822581c977624b554e9669f1dacd3ea27da419ce7d922c4fd7159a37655
MD5 hash:
ef21daeeb39441e28b0cc86cc0e23235
SHA1 hash:
1297757d3382f98c8d391ee50d0dd892ab4f4440
Link:
https://www.unpac.me/results/b5c72807-0380-4ac9-8a2f-92c333ea91c6/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4ae7e790e77/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV4
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:win_agent_tesla_bytecodes_sep_2023
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d4ae7e790e777630f32cacb8b2975a478a7058f1e19010bb5f2d7e389ed64b40

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/97/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments