MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db
SHA3-384 hash: 46ca170b0731084b48e482b6b08e0ca70a5293ae422bce867e0f12bb4cfd4dab4082a6752da1d9646fe0008558cd5022
SHA1 hash: 43335a5d4c13db4e2d8acf2dc19f62fffbccf9ac
MD5 hash: 700b6a975495e125104439b4fb83e34e
humanhash: paris-river-quiet-don
File name:PO.hta
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'040 bytes
First seen:2023-10-19 07:53:53 UTC
Last seen:2023-10-22 18:26:44 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:hMNmMvy4GqptEIjb18qeoAlOnp8xuY8yu5yNATFKmHjl88e/ZM8E4olEC:ImMqopOIjb1fd4ucNQFKmOyt40F
TLSH T1E71112E6A88685843773C6E917E3E159F517D24A51814D087644A16BFF1A31E4393447
TrID 80.6% (.HTM/HTML) HyperText Markup Language with DOCTYPE (12501/2/4)
19.3% (.HTML) HyperText Markup Language (3000/1/1)
Reporter cocaman
Tags:AgentTesla hta payment

Intelligence

File Origin
# of uploads :
7
# of downloads :
115
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Runner-NG.29025.24930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db/results/dashboard
Payload URLs
URL
File name
https://cdn.discordapp.com/attachments/1130892959336906764/1161056088590921859/PO.exe?ex=6536e8be&is=652473be&hm=db0d4ec319d61939550bbad769e047186ee43c18db1997babacf432f1285283b&
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bitsadmin lolbin qakbot
Link:
https://www.filescan.io/uploads/6530e09d10dbe5fb92cec02b/reports/ee6f9a92-cd04-473e-9b4d-b64257c39a1f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328556
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download files via bitsadmin
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328556 Sample: PO.hta Startdate: 19/10/2023 Architecture: WINDOWS Score: 100 50 cdn.discordapp.com 2->50 52 api.telegram.org 2->52 60 Found malware configuration 2->60 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 9 other signatures 2->66 8 mshta.exe 1 2->8         started        11 4444444444.exe 5 2->11         started        13 WindowSecurityxy.exe 5 2->13         started        15 3 other processes 2->15 signatures3 process4 dnsIp5 92 Tries to download files via bitsadmin 8->92 19 PO.exe 1 4 8->19         started        23 bitsadmin.exe 1 8->23         started        94 Antivirus detection for dropped file 11->94 96 Multi AV Scanner detection for dropped file 11->96 98 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->98 25 4444444444.exe 14 3 11->25         started        100 Machine Learning detection for dropped file 13->100 102 Injects a PE file into a foreign processes 13->102 27 WindowSecurityxy.exe 13->27         started        29 WindowSecurityxy.exe 13->29         started        56 cdn.discordapp.com 162.159.135.233, 443, 49704, 49705 CLOUDFLARENETUS United States 15->56 58 127.0.0.1 unknown unknown 15->58 42 C:\Users\user\AppData\Local\...\BIT788F.tmp, PE32 15->42 dropped 44 (copy), PE32 15->44 dropped 104 Benign windows process drops PE files 15->104 31 4444444444.exe 15->31         started        33 WindowSecurityxy.exe 15->33         started        file6 signatures7 process8 file9 46 C:\Users\user\AppData\...\4444444444.exe, PE32 19->46 dropped 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->68 70 Creates autostart registry keys with suspicious names 19->70 72 Creates multiple autostart registry keys 19->72 82 2 other signatures 19->82 35 PO.exe 16 4 19->35         started        40 conhost.exe 23->40         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->74 76 Tries to steal Mail credentials (via file / registry access) 25->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->78 80 Tries to harvest and steal browser information (history, passwords, etc) 33->80 signatures10 process11 dnsIp12 54 api.telegram.org 149.154.167.220, 443, 49723, 49724 TELEGRAMRU United Kingdom 35->54 48 C:\Users\user\...\WindowSecurityxy.exe, PE32 35->48 dropped 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->84 86 Tries to steal Mail credentials (via file / registry access) 35->86 88 Creates multiple autostart registry keys 35->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->90 file13 signatures14
Score:
1%
Verdict:
Benign
File Type:
ASCII
Link:
https://malprob.io/report/f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db/
Threat name:
Script-WScript.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-10-09 22:50:33 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rjayjn33vytjgv5w53pdeqvffgli4g5nevqzlhff7gtu2o7mtnq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231019-jrjdyseg3t/
Behaviour
Download via BitsAdmin
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Downloads MZ/PE file
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6049148844:AAEYOuZtq-yhuAqklwntW8KydQU37_oywUw/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4520c25bbdd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MalScript_Tricks
Create hunting rule
Author:@bartblaze
Description:Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2

AgentTesla

HTML Application (hta) hta f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2
  
Dropped by
MD5 c359ae05a71a5a2969ef2ccafeac6de7

Comments