MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4e0dc6e17b1fa764dd6b935e5ccec17ccf6bbf0a6549ac2814ec74acc5f978a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4e0dc6e17b1fa764dd6b935e5ccec17ccf6bbf0a6549ac2814ec74acc5f978a
SHA3-384 hash: 908dfcb2d6f82f540c61972ad6afe839e08c9f8c5f8c79898add1aa8fa469e1b52fd6aa476a9d5d30fe9d779223ff4cb
SHA1 hash: db8b87d2189ebb2b0a2d6304b9e40110c4ce39aa
MD5 hash: b9d57b113afffb65f594d458b5f14eef
humanhash: paris-sierra-tennessee-social
File name:Gerber.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:946'688 bytes
First seen:2021-07-12 13:01:29 UTC
Last seen:2021-07-12 13:56:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:HUWL3mZ+Y+vKfnA/b1VuXPeUbLvunU/0BKDR:u+YfPHXGUPvKrKt
Threatray 6'603 similar samples on MalwareBazaar
TLSH T1C91517E923BD9045F13AEBF06B1BAA474E5EB16D512D73090FB186C63821D70BB76072
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171099/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.925.16369.27342.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ca0b9c3-b3df-44eb-8bfb-9c8ae1104689
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814959
Signature
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447368 Sample: Gerber.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 6 other signatures 2->35 7 Gerber.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\bylIwajVGjaI.exe, PE32 7->19 dropped 21 C:\Users\...\bylIwajVGjaI.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp43F0.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...behaviorgrapherber.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Injects a PE file into a foreign processes 7->43 11 Gerber.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.privateemail.com 198.54.122.60, 49747, 587 NAMECHEAP-NETUS United States 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4e0dc6e17b1fa764dd6b935e5ccec17ccf6bbf0a6549ac2814ec74acc5f978a/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 10:18:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0238c1e342f75ea17b028b82f6655e38a859d09b9cdf822aaf5512c51066b75d
AgentTesla
02ed4dc00a2f957e80270195cda35ea37a242708c9f29e3385df801bb6d6f1f4
AgentTesla
0766855bc1132b77ae0fada466b7ce4d9bc715fa3737f2c0d717724aaa9e218c
AgentTesla
14d312f9a9f34bf80a0b27717a5cf84330e86d208dcebcf045f34f8d095ba9b6
AgentTesla
96ffff22881ed8ea22e10a766c0b269f81bf7879531e8b8590b7ed79e47a0eb4
AgentTesla
b30b08c58db97c9b2b9b14b6ab283996549db585c2f7625c72c2fe9bd7d8dc18
AgentTesla
db8a38eeffd2993db0c1e35fd632cde7d7efb0b92c2aa779b234b3e925901b47
AgentTesla
e4ff44b9d1c18f55e807f08d68ee5504d534cadc401223bb4505696cf9e2f290
AgentTesla
e5959f481a796647a6d5bb7662dd6b77411dfe29b9c3935342c8a7c7ee90c75d
AgentTesla
+ 6'593 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210712-hh762zykmj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
150863ba81850bc01badbf43c4651f501ab1506317c106a242dc5efa211e3643
MD5 hash:
da56dedf2b7ae4db8f5b92dff4ee2078
SHA1 hash:
ae90f690e04906bd3f49379ce1b2fbed1def4df5
Link:
https://www.unpac.me/results/731938d5-2db3-4de2-b659-16a784380eb1/
SH256 hash:
04433a494545e874ce434f4d024ba3f4c1049359cc38f688c251538305cc6905
MD5 hash:
a4b6bf3018ef7b9a07e6224135ad50ec
SHA1 hash:
88765cacd56aebf1f71a8f1409c79ae2b114a100
Link:
https://www.unpac.me/results/731938d5-2db3-4de2-b659-16a784380eb1/
SH256 hash:
95db9ea387e9f3b3287ef084a26999389efeb8bab1c427dbeb0cef7d79f12dba
MD5 hash:
b02464cb94a4a71870be407a9bd9b953
SHA1 hash:
81f00c7420434bbc6018203c9527d934870faf1c
Link:
https://www.unpac.me/results/731938d5-2db3-4de2-b659-16a784380eb1/
SH256 hash:
9470ca32bd526d4c7ead883373b3853a656b98a0d88c1eacdd9b963a15ae8933
MD5 hash:
9f3dec142d8efb452525f1eab5e2df8e
SHA1 hash:
49cfe0ab0b2140015dd42d02533571083c7611f3
Link:
https://www.unpac.me/results/731938d5-2db3-4de2-b659-16a784380eb1/
SH256 hash:
d4e0dc6e17b1fa764dd6b935e5ccec17ccf6bbf0a6549ac2814ec74acc5f978a
MD5 hash:
b9d57b113afffb65f594d458b5f14eef
SHA1 hash:
db8b87d2189ebb2b0a2d6304b9e40110c4ce39aa
Link:
https://www.unpac.me/results/731938d5-2db3-4de2-b659-16a784380eb1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4e0dc6e17b1fa764dd6b935e5ccec17ccf6bbf0a6549ac2814ec74acc5f978a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/171099/

Comments