MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d
SHA3-384 hash: acf684a4bcdcf37836c3230359c19dae889a00e01ea0d2250630983db00d6c7387a6820b65b8803e4b0b31d65dffaed3
SHA1 hash: 2bca9ade535385cba3e83f875f7cac2302954e3a
MD5 hash: 9927446fe150deea07f6110ff4f20018
humanhash: cola-utah-table-eight
File name:FİYAT TEKLİFİ TALEP RFQ_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'199'104 bytes
First seen:2021-12-15 06:43:30 UTC
Last seen:2021-12-15 08:58:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:lFKwPW4Zw0Yqx9nR7TOV8X2eJO7UM60/nmym8uP+CtVo1heP:lJPW4ZrYU9nJTOiX2eJOT60hLuPvW
Threatray 14'325 similar samples on MalwareBazaar
TLSH T15F45121D7983E9CEC5214EBA3B6580242571EC766907E387F4C9329F593B3A83E63706
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FİYAT TEKLİFİ TALEP RFQ_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-12-15 06:47:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/314f97f8-3a68-46df-9764-64114b6ccf5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214197/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1128.11060.8236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b98eb5dbe06b75d7be11ca/reports/03631f20-999c-45ba-bf8a-d4a2784645f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/811a8b8f-2685-4c13-abac-a558bd6faf2c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907627
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540105 Sample: F#U0130YAT TEKL#U0130F#U013... Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 55 mail.etites.com.tr 2->55 57 etites.com.tr 2->57 67 Found malware configuration 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 12 other signatures 2->73 8 F#U0130YAT TEKL#U0130F#U0130 TALEP RFQ_PDF.exe 7 2->8         started        12 RmxqUKg.exe 2->12         started        14 RmxqUKg.exe 2->14         started        signatures3 process4 file5 47 C:\Users\user\AppData\Roaming\tcBSbhwzF.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmpEEB9.tmp, XML 8->49 dropped 51 F#U0130YAT TEKL#U0...LEP RFQ_PDF.exe.log, ASCII 8->51 dropped 75 Adds a directory exclusion to Windows Defender 8->75 77 Injects a PE file into a foreign processes 8->77 16 F#U0130YAT TEKL#U0130F#U0130 TALEP RFQ_PDF.exe 8->16         started        21 powershell.exe 24 8->21         started        23 powershell.exe 25 8->23         started        25 schtasks.exe 8->25         started        79 Multi AV Scanner detection for dropped file 12->79 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->81 83 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->83 27 schtasks.exe 12->27         started        29 RmxqUKg.exe 12->29         started        31 RmxqUKg.exe 12->31         started        33 RmxqUKg.exe 12->33         started        signatures6 process7 dnsIp8 53 192.168.2.1 unknown unknown 16->53 43 C:\Users\user\AppData\Roaming\...\RmxqUKg.exe, PE32 16->43 dropped 45 C:\Users\user\...\RmxqUKg.exe:Zone.Identifier, ASCII 16->45 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->59 61 Tries to steal Mail credentials (via file / registry access) 16->61 63 Tries to harvest and steal ftp login credentials 16->63 65 2 other signatures 16->65 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 01:46:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rmdom7acbktlccqga6w52zksnwv5c723vftiodwk3unmf2al4wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
012773f5a81b8614893144cbe8afbdca7ca36e58f01233cb19139a200804a8bc
AgentTesla
57b2a44351febaa40160b21423b5f084f15802290e82910cd3d94331eb3e3791
AgentTesla
99ed8a3d3d579ffcbca302f6c584fb044b260495a92d85bc1af66bd295bc402d
AgentTesla
9a6023a8b502b7fe13fbd7c5007c69d02fcd90e98f5206acea450cbe37bd6f1a
AgentTesla
dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84
AgentTesla
e7d489df6c41d065986388f6673e9b179acf89d87acf58ca8a015d778a6c8dff
AgentTesla
ef0a4d74505ed6671e8a1de8c1c3d91d87aa06a0fa63467b3bbdbb241eb9c1e0
AgentTesla
f4bb5c1806e72df06936c0b9b1fefe3cfe5cf68604bdaa36ffbc61a2860aa6b9
AgentTesla
f7e04a704089ed7e79b3642e223363084ed1b482cf417295b64e71ab087edc61
AgentTesla
+ 14'315 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211215-hhg9vshhal/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
604d25d40ac23880e64999fb7d3e5ee835cb2631fcb8eef6f7cde72b45b3f278
MD5 hash:
1d368c8ac8bf5d4d0d5169b264ed50c7
SHA1 hash:
96e9090392f6bb43f94b7ed48e0c5443140ca22a
Link:
https://www.unpac.me/results/08424af2-5b8b-4d55-a3ab-2766ababf587/
SH256 hash:
fbc430bf89e2979a430161b1adeb643876facda203cf3f27fefb74757a9e8b6f
MD5 hash:
5f6e7ea5f75f5344d2a1e3f49696a3f1
SHA1 hash:
41d896d75fd645cb7d9e1130fa67afa8b5b3599b
Link:
https://www.unpac.me/results/08424af2-5b8b-4d55-a3ab-2766ababf587/
SH256 hash:
bab4591cecd9d8751ec1563e45ede800d52b62acbd0cf29d8897fafad0a711cd
MD5 hash:
d9ff9c640617f9061012173a2c794c13
SHA1 hash:
22a71b91e3066a29fe8bfee9260c331ddee07ce9
Link:
https://www.unpac.me/results/08424af2-5b8b-4d55-a3ab-2766ababf587/
SH256 hash:
e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d
MD5 hash:
9927446fe150deea07f6110ff4f20018
SHA1 hash:
2bca9ade535385cba3e83f875f7cac2302954e3a
Link:
https://www.unpac.me/results/08424af2-5b8b-4d55-a3ab-2766ababf587/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214197/

Comments