MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c
SHA3-384 hash: 6d99943306a1664dbf71ef6276fe44bf4ff080918c557cee431196d4be1c4c36cf766273e9095af72f15330f224a3531
SHA1 hash: 4717cb135554de5f00ee23394d90e94e48140785
MD5 hash: 0ddfc920f96032fe88083317dc5d109d
humanhash: washington-pip-friend-purple
File name:9oKJD6f1zhp0faI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:630'784 bytes
First seen:2023-09-20 08:40:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:uLfb98HzxK12vOGGzrn4PtDyTmbOYbZGqgUgMse4BpN:kbeTxU2vOGuaDyTmbfbZ0UgJ
Threatray 6'375 similar samples on MalwareBazaar
TLSH T17DD4125036B08E4AE45F1BBD0420059137B84A8AFEF9F7581CC6B0E5572FB998613B6F
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 886443434b83cbe2 (17 x AgentTesla, 7 x Formbook, 4 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
9oKJD6f1zhp0faI.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 08:44:31 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/20f93911-d1bb-4cac-a0e7-7bf9f7c2d9e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449976/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17315.20933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650ab02033582f234efcf001/reports/2e633e41-71ed-441b-9a41-030a5b81327b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5be245d0-c89a-4a6b-91db-c059418c7494
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311423
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 08:41:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4s2guoio2nmxnanrfmmdjgc2lkg5v5gk5fx7ctwyylwq2f4eyeoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28fb4137db1dc5813064025021d0c18ca4117a2de7371629b8a5aae5bfe03523
AgentTesla
4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
AgentTesla
50cad31fae9c45dcdd778695df5c75eed96bec0262755cb259ef1970366777c3
AgentTesla
747605b46cef4d6526cec7edc03c2d7eeb02741b54746057bde5c08ab9a3af38
AgentTesla
a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138
AgentTesla
b9e6a7078c1b45fe46c4a67b4911aa9d14f4c90f7b1eb7e24c89f12deef44450
AgentTesla
c0d78a0e66df81e755349710a7c88371ad11a3dcc44115dffca63052954d8060
AgentTesla
d4be953d9e9504303622fe8c83eb835c8dc6ce07a051ad145a4b419cab8b8566
AgentTesla
+ 6'365 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230920-klez1shc42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4c00f6d566b9f3d3f8407d44e477db87926c08fa089a351b165547de5a07d9d9
MD5 hash:
4fb1a7084bad3b1016533fee03610952
SHA1 hash:
d099e51ce5d9790bdc706a6f703294ad595cacb8
Link:
https://www.unpac.me/results/a62506f3-96f3-4878-838a-0ccc25a60950/
SH256 hash:
b58e8f44c16e052c300e324d8d31929900420e527ee85eb4748251978ebe1a37
MD5 hash:
80e8120e0d74beaa8f70b44e00c66be6
SHA1 hash:
d00b435e8bb6402a2ce5775ef14cfc72e4964f4b
Link:
https://www.unpac.me/results/a62506f3-96f3-4878-838a-0ccc25a60950/
SH256 hash:
b1660d737e850e512beb4ff696a651425a0c85544317bd45128e869a22e9e174
MD5 hash:
04a87285b253825cb07da6211facd46d
SHA1 hash:
58dda0aef7b934a6454774ddac8ddcb65ca51f2a
Link:
https://www.unpac.me/results/a62506f3-96f3-4878-838a-0ccc25a60950/
SH256 hash:
5bf404bead87bdec8ad5a549c2854fa3e24203f6e375901406a8a30c44cedcc6
MD5 hash:
ef896813bc0be1565fbb963447c05c9d
SHA1 hash:
1ee4089c435dae0a9ab5b2079c69504b84794cce
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/a62506f3-96f3-4878-838a-0ccc25a60950/
Parent samples :
e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c
4b3919bc8ab3c523d2cc6c48a0279cf72d39de65e3ef428b922461f833e6ad4d
SH256 hash:
e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c
MD5 hash:
0ddfc920f96032fe88083317dc5d109d
SHA1 hash:
4717cb135554de5f00ee23394d90e94e48140785
Link:
https://www.unpac.me/results/a62506f3-96f3-4878-838a-0ccc25a60950/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4b46a390ed3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e4b46a390ed3597681b12b1834985a5a8ddaf4cae96ff14ed8c2ed0d1784c11c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/449976/

Comments