MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072
SHA3-384 hash: 5ff0c2f28d5b1a73b92fcf9f548417cd374b30722e45ce0ea3d9b5f350baa968b70cc08cf092ee317036252db257e0a2
SHA1 hash: 3b0c6f713ace5b7f7ebdbea264e94efe7a266ab9
MD5 hash: 15b33c62b36702bded03444a046a70f8
humanhash: london-mars-yankee-salami
File name:ugopoungdh375.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:629'248 bytes
First seen:2023-05-13 22:58:13 UTC
Last seen:2023-05-14 18:42:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ZFW1VDuefs30SuPdrmny6XM/PeFigttTYxod0Rym4PioL2e3:Z41VHfWnXM/PhwJYhRyAoL2i
Threatray 3'475 similar samples on MalwareBazaar
TLSH T1CCD4E175519F8980E40FCBB164BCFC72573270E3DAE9C935076AA180CE6BF546D8898B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e29c2c74d4d4d4aa (4 x AgentTesla, 3 x Loki, 2 x SnakeKeylogger)
Reporter JaffaCakes118
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ____RM quotation.doc
Verdict:
Malicious activity
Analysis date:
2023-04-21 07:41:01 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/a401632f-d1f6-4b8a-81bf-f060704c72b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389253/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66545281.14964.20080.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6460163c531a5c5018010165/reports/8ca93e68-74c3-46fc-85f3-fc76b5361dad/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b5d5ff5-d283-44ee-8685-cf0fc5ad5c30
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232321
Signature
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865304 Sample: ugopoungdh375.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 5 other signatures 2->59 6 ugopoungdh375.exe 3 2->6         started        10 TKQShz.exe 3 2->10         started        12 TKQShz.exe 2 2->12         started        process3 file4 23 C:\Users\user\...\ugopoungdh375.exe.log, CSV 6->23 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->61 63 May check the online IP address of the machine 6->63 65 Contains functionality to register a low level keyboard hook 6->65 14 ugopoungdh375.exe 17 5 6->14         started        67 Multi AV Scanner detection for dropped file 10->67 69 Machine Learning detection for dropped file 10->69 19 TKQShz.exe 14 2 10->19         started        21 TKQShz.exe 12->21         started        signatures5 process6 dnsIp7 29 mail.ungaplc.com 14->29 31 api4.ipify.org 104.237.62.211, 443, 49701, 49702 WEBNXUS United States 14->31 33 api.ipify.org 14->33 25 C:\Users\user\AppData\Roaming\...\TKQShz.exe, PE32 14->25 dropped 27 C:\Users\user\...\TKQShz.exe:Zone.Identifier, ASCII 14->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 35 mail.ungaplc.com 19->35 37 api.ipify.org 19->37 39 mail.ungaplc.com 21->39 41 2 other IPs or domains 21->41 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Installs a global keyboard hook 21->51 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 05:57:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sqk45tsn43mxkpqjhi4hd7j4cwomxhel56tgh4n2qromjuw4bza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a3910d28d3f2f885f656070a26c9f7abafac1e5231c6b9a8e07844a833f6077
AgentTesla
1863faaafba4ed1cb5e13451aab6ccc864569bd65c7f01e58da3c66f2f0bafb5
AgentTesla
26e4169f450ad33d2ac91ed523a144039a75b295dd77493dd6b15bda5e7094f6
AgentTesla
504a27b4efe9db79bb0ac1fd1a3258d6b94c7989e4b4b892e587e40d6dd4dd02
AgentTesla
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
AgentTesla
8ab437ed1b348f24d6a58965cdc27a3e23cfc82fef4456bd3623f739abf196a9
AgentTesla
bbdd3c67e8780f70bb81bbd019cc39c40b8efb9653dcef5e625409fc3ceedd10
AgentTesla
de87c0d98a2e2b5a8d78eaade6cb33caca49972baf3141f4a38fe3baa80d99ae
AgentTesla
e45adb38f46b6275c9208ffc10f5ad840da121078544fad3555ef8183608dded
AgentTesla
f44bc5440ea740d4aa104363157abba31e781936400873d4ac4736506c0b0246
AgentTesla
+ 3'465 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230513-2x1vashh53/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
686d7a0f616c32c209dbc486d15fc72b99246a22a7063f31bef14cf3dbefc608
MD5 hash:
db1b60e5ba59ba71e3206ff672d10a01
SHA1 hash:
f605cd33fbf3159bc77452cbd78e7f8b4159e65b
Link:
https://www.unpac.me/results/327ae7bf-c9ba-4dea-873e-d5025469b345/
SH256 hash:
ac96abd830886841e0ad57a02a3f128e759e47ac2e0822255bd697bd37b7aeae
MD5 hash:
b0ec134a84171364c67058da08665ca0
SHA1 hash:
ecbdb67f7ab9da5705afe71ce763e26f7949822b
Link:
https://www.unpac.me/results/327ae7bf-c9ba-4dea-873e-d5025469b345/
SH256 hash:
e202dd62103497ea742e934276e5b93f43ad514dcf64af48d6518ad34fb302d2
MD5 hash:
ad17fd25de40131fa2befcde155f9fba
SHA1 hash:
b6d6a231a7833d9bae4e79d03017a47b272b3837
Link:
https://www.unpac.me/results/327ae7bf-c9ba-4dea-873e-d5025469b345/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/327ae7bf-c9ba-4dea-873e-d5025469b345/
SH256 hash:
f2504009ae09a97da43834ffbac4f4dec0c503c285deda363f9d72d52d28d13a
MD5 hash:
f10017bb66bf82310b03d74a475df2c3
SHA1 hash:
273f4111e39d8c0d590e54cbff8da3b2be8a913d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/327ae7bf-c9ba-4dea-873e-d5025469b345/
Parent samples :
e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072
c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe
SH256 hash:
e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072
MD5 hash:
15b33c62b36702bded03444a046a70f8
SHA1 hash:
3b0c6f713ace5b7f7ebdbea264e94efe7a266ab9
Link:
https://www.unpac.me/results/327ae7bf-c9ba-4dea-873e-d5025469b345/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2346138/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389253/

Comments