MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4fbf24e76e4194be06a7231ed375f0c14cfec02c6dbf4b79a3829eedc50731f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4fbf24e76e4194be06a7231ed375f0c14cfec02c6dbf4b79a3829eedc50731f
SHA3-384 hash: 6338ee539312e9914d70a57db827812e3a2330af4603576a9c903922377632d5b2de89c701737c9e840728a0bc767410
SHA1 hash: 979974a9a25b92d7f443123a5202174f97d8bbd3
MD5 hash: 7f8546c267c567d5585084f87b4eb7df
humanhash: georgia-equal-johnny-maryland
File name:BL.35HG8 CONTAINER76TTY6544LIST excel file list.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:989'184 bytes
First seen:2021-05-16 04:57:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0kj0wtUPo1RPEV+2Ms2NO5oT900lDLflnMztdCfIBfL4S3O1r5:Ewtko1RPELMy5oyalodthB8
Threatray 4'962 similar samples on MalwareBazaar
TLSH 8425BF5C2684994EE17F2FBC4DD870206374656AA48BEB4C5FC215FD2CE7B218A0D39B
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL.35HG8 CONTAINER76TTY6544LIST excel file list.exe
Verdict:
Malicious activity
Analysis date:
2021-05-16 04:59:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dcfe225a-bbde-44e1-8225-0f66102e6b15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157516/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782946
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 415342 Sample: BL.35HG8 CONTAINER76TTY6544... Startdate: 16/05/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 10 other signatures 2->41 7 BL.35HG8 CONTAINER76TTY6544LIST excel file list.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\jRDjSOfGZ.exe, PE32 7->27 dropped 29 C:\Users\...\jRDjSOfGZ.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp35B3.tmp, XML 7->31 dropped 33 BL.35HG8 CONTAINER...l file list.exe.log, ASCII 7->33 dropped 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 11 powershell.exe 23 7->11         started        13 powershell.exe 25 7->13         started        15 schtasks.exe 7->15         started        17 3 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4fbf24e76e4194be06a7231ed375f0c14cfec02c6dbf4b79a3829eedc50731f/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-05-16 04:58:11 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2t57ettw4qmuxydkoiy62n27bqkm73acy3n7jn42hau65xcqompq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01e0e23344d864274234eec885025ab002f0aa985dce543cdb7b4462171a58e3
AgentTesla
1109e9c4a8dceb63160c59807b81adc6d4e82c28529c80bd1ff80993dc906508
AgentTesla
453a31205be3f40f684ea141e476ed1a75a1ea66e92610f74e209ea2633f6621
AgentTesla
48b2ebf2ce150e84bae3f063b8458b6f1608a5fea01531244fa005d70727605c
AgentTesla
82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd
AgentTesla
84dfaabb904c6d5770ddd154af72512e455ac9276dfb8d3173de892a3d7b6daa
AgentTesla
8b345f73d84e6fc765d7907aaa33d844ef2c180024baeaa53ff895bab8e19356
AgentTesla
989f330817cadbe60308cdd0977792aa3ee8fd2f55b2e92ed32d2416de16c32d
AgentTesla
a9b37a3aeb448a3c41a12ddcf5e6fdc7918593a2c5c90ccc2920ee2831556130
AgentTesla
b96e5b8548a31fc43385a31b1c23a9ad95440309ccc6baa10dced1833e118d5e
AgentTesla
+ 4'952 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210516-ck54krnfze/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4fbf24e76e4194be06a7231ed375f0c14cfec02c6dbf4b79a3829eedc50731f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157516/

Comments