MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899
SHA3-384 hash:	34814add0182958cfb459ff0cc83f189c8ca28e8058f04e3a61f180d90dd8cbd36bd020dba43c4de40c369c96717c7c6
SHA1 hash:	ca2513d99be4f415a8a9552d96d9b22ff5d4c70c
MD5 hash:	26134485c877a61c48a8703e4c26c1ab
humanhash:	king-paris-johnny-utah
File name:	f4.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	1'574'400 bytes
First seen:	2023-10-04 10:40:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e74c8ae3503a17604f2a2d84ae3389c4 (4 x AgentTesla, 2 x SnakeKeylogger, 1 x DarkCloud)
ssdeep	49152:Zy9g19QiWagKRsVK5steiJNuAiW5G6K3LIuF/H9YxIu:dngqsVWstbJvI3JF/H9lu
Threatray	43 similar samples on MalwareBazaar
TLSH	T13B750269E2BCBCEEC41690F9DC76FAE5192FE95D44290D2A782A310314723532CB6D1F
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	b46cccccd4e8f4dc (5 x AgentTesla, 2 x Formbook, 1 x XWorm)
Reporter	0x746f6d6669
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

302

Origin country :

DE

Vendor Threat Intelligence

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win64.CrypterX-gen.22531.8214.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Forced system process termination

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Dragonfly

Gathering data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

hacktool packed packed packed upx

Link:

https://www.filescan.io/uploads/651d41419b16696e9f8f62ac/reports/8bf7a3a4-78fa-443c-bc39-98d6523735a2/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0c0217c6-466c-4a48-b0a4-b5758f411811

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1319378

Signature

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB agenttesla

Detection:

agenttesla

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899/

ReversingLabs TitaniumCloud Win64.Trojan.Znyonm

Threat name:

Win64.Trojan.Znyonm

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-10-03 14:59:10 UTC

File Type:

PE+ (Exe)

Extracted files:

23

AV detection:

19 of 36 (52.78%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6rdh3ccz2f2mt3pvwwlos3cek2tkuaszxxxb24tjpj3kvnps7cmq._file

Threatray malicious

Verdict:

malicious

Similar samples:

00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaa

AgentTesla

0e84afe68234f625e08be5460e469a3cd13eb24d28f0a371539d93728bacbd87

AgentTesla

18a48731b148e59ecffa75b392d72963d1a7e386201e9745eb1f06169cd37d00

AgentTesla

43b81d0ca2373e9f8746005bff03564656b711c3a0d9e81a632f703a420e1cd6

AgentTesla

63efc3445014bdf5bc7c990e30c279a5f1ef3aca8760335c91e5c774aac13d73

AgentTesla

7266208dc8fb418f47fef760b7c35196336e8f2e3822108df59636d125d3568d

AgentTesla

8192f84102d9071fc922c436f69660b5be0bdb300adaa212295f84f985bbc5ea

AgentTesla

af5181b58209a8a6e973d806ba6e2321e7aba08b3bd56012d4f159a7b2f51ac2

AgentTesla

dfbecad8d36fe0dcdcb4d403209d8762fd4507e14674fabef306e28a5ede518b

AgentTesla

eded555a7a575a6335ccc1c59ac51b58eb00ba3f43a0d5ed66f2af28f4d3bcf6

AgentTesla

+ 33 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/231004-mq4kaaah7w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

UPX packed file

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6599370963:AAHYVLyUgd9Le0k5YAQvMSjM72cBftugiL8/

UnpacMe 2

Unpacked files

SH256 hash:

5c0063ae28f46545885a2aa9365ec044ce749493e9a3235df5af52068240d6e7

MD5 hash:

e494555951360f662c34fa12579694b7

SHA1 hash:

7fc0f8f1a69351a8c3eb49e17eed095f07350250

Link:

https://www.unpac.me/results/87cdd6bd-af5b-4f83-b4d2-d2525d3bb867/

SH256 hash:

f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899

MD5 hash:

26134485c877a61c48a8703e4c26c1ab

SHA1 hash:

ca2513d99be4f415a8a9552d96d9b22ff5d4c70c

Link:

https://www.unpac.me/results/87cdd6bd-af5b-4f83-b4d2-d2525d3bb867/

VMRay AgentTesla.v4

Malware family:

AgentTesla.v4

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4467d8859d1/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899