MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f04bcd88e4fc673e3c6a50fe97b68d93a35ee6a0029b4d1082aac6751c0b751d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f04bcd88e4fc673e3c6a50fe97b68d93a35ee6a0029b4d1082aac6751c0b751d
SHA3-384 hash: a54a72f10c7d8af7acdfeae17c6c2419daff5383cc4b469cacd7f0d818d3171fc9c9178ea2f63edc62b3258243d26456
SHA1 hash: 5165a504e35ac83fad1e5915c96acf7e7351c692
MD5 hash: 33285ede30ca1312a7e7e33e2830dd2e
humanhash: salami-sink-magazine-two
File name:Bank Transfers Form.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:327'420 bytes
First seen:2022-11-17 08:16:37 UTC
Last seen:2022-11-19 14:26:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 6144:MEa0NbsEuZkknc3PnNtAwwm72qCJZobY1O4TF8hAlVh1xQ2mJGYQphSgS:Xbs6vPNtAwwm7Go6O4TF8h6P1mJb2XS
TLSH T1766423516341A5F7FFCBD7315CF2A7A9E236C660042248A383D41FAD6C39686669B0CE
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
197
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Bank Transfers Form.exe
Verdict:
Malicious activity
Analysis date:
2022-11-17 08:18:56 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/69a30774-f5d1-4006-9ad3-5b31dfb7856c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335224/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.28518.654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6375edff4cfa4744015c704c/reports/19a32915-6ce0-49b9-90f3-f564e2a29283/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c6c78f0-9069-4a27-934d-ff4c798db3ab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115584
Signature
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748289 Sample: Bank Transfers Form.exe Startdate: 17/11/2022 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Yara detected AgentTesla 2->70 72 2 other signatures 2->72 7 Bank Transfers Form.exe 18 2->7         started        10 cxxwr.exe 2->10         started        13 cxxwr.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\...\awwibnjuqg.exe, PE32 7->28 dropped 15 awwibnjuqg.exe 1 2 7->15         started        80 Detected unpacking (creates a PE file in dynamic memory) 10->80 82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->82 84 May check the online IP address of the machine 10->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->86 19 cxxwr.exe 14 3 10->19         started        88 Maps a DLL or memory area into another process 13->88 22 cxxwr.exe 3 13->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\cxxwr.exe, PE32 15->30 dropped 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->50 52 May check the online IP address of the machine 15->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->54 64 2 other signatures 15->64 24 awwibnjuqg.exe 17 4 15->24         started        32 webmail.jackbarber.com 19->32 34 3.232.242.170, 443, 49705 AMAZON-AESUS United States 19->34 40 2 other IPs or domains 19->40 36 webmail.jackbarber.com 22->36 38 52.20.78.240, 443, 49707 AMAZON-AESUS United States 22->38 42 2 other IPs or domains 22->42 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->56 58 Tries to steal Mail credentials (via file / registry access) 22->58 60 Tries to harvest and steal ftp login credentials 22->60 62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 file8 signatures9 process10 dnsIp11 44 webmail.jackbarber.com 138.128.163.242, 49704, 49706, 49711 DIMENOCUS United States 24->44 46 api.ipify.org.herokudns.com 54.91.59.199, 443, 49703 AMAZON-AESUS United States 24->46 48 api.ipify.org 24->48 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->74 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Creates multiple autostart registry keys 24->78 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f04bcd88e4fc673e3c6a50fe97b68d93a35ee6a0029b4d1082aac6751c0b751d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-17 08:17:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
25 of 40 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bf43che7rtt4pdkkd7jpnunsorv5zvaaknu2eecvldhkhalouoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221117-j6pjhsdh98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4b7b0c6a-57a3-4619-b270-af19c2b8911a
Unpacked files
SH256 hash:
6f4d76617234f9e66c1747ee7acb523b312459f3464efcdf703c8f608611ae86
MD5 hash:
6a5f2516a4f18d89d022e3c0ae35de33
SHA1 hash:
730eb1d05b50bff096a264852113fc4ed7c591d0
Link:
https://www.unpac.me/results/f41285d5-9932-4009-87d8-e212da227d28/
SH256 hash:
000fd9491bc510a141e94d267aef420c7ed14037a18fe46fb5848ade5eabaef3
MD5 hash:
a24205d2e65cc5654bb3f7485d69c767
SHA1 hash:
5259137b8343e45952643a2fd2585125a701e3de
Link:
https://www.unpac.me/results/f41285d5-9932-4009-87d8-e212da227d28/
SH256 hash:
28d44628cbb2d6e6cc762b2f9784e015a2feb38188835be7ed79c3d7698f26a6
MD5 hash:
4d8c120b641edfba8d596d7654570b1e
SHA1 hash:
5f5aaf9227eeccabe0c259d38442d55d1051949d
Link:
https://www.unpac.me/results/f41285d5-9932-4009-87d8-e212da227d28/
SH256 hash:
f04bcd88e4fc673e3c6a50fe97b68d93a35ee6a0029b4d1082aac6751c0b751d
MD5 hash:
33285ede30ca1312a7e7e33e2830dd2e
SHA1 hash:
5165a504e35ac83fad1e5915c96acf7e7351c692
Link:
https://www.unpac.me/results/f41285d5-9932-4009-87d8-e212da227d28/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f04bcd88e4fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/f04bcd88e4fc673e3c6a50fe97b68d93a35ee6a0029b4d1082aac6751c0b751d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_e577e17e
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f04bcd88e4fc673e3c6a50fe97b68d93a35ee6a0029b4d1082aac6751c0b751d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/335224/

Comments