MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f456cc467fb715d5a47451118ad6fe4529a593c31e5ff402cd52934b23a24b2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	f456cc467fb715d5a47451118ad6fe4529a593c31e5ff402cd52934b23a24b2c
SHA3-384 hash:	12c99329de514b13c063f2ce1cb1e662650fc68757fbe6a421e73b76a472f31cd69ffa058453a9d821d6f46c01b7971b
SHA1 hash:	8673189a203a11b60461da6b751beb2fec383dd2
MD5 hash:	8fa0111dbf50f3acd6262d24dd93561b
humanhash:	cardinal-lemon-johnny-october
File name:	Shipping Details.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	805'888 bytes
First seen:	2023-07-10 08:18:32 UTC
Last seen:	2023-07-11 13:06:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:tyubbHMmNdpHsKrPd4Icw3d1x1s4u1kRyM/6aPqLLtGe:3Rhbs4G9nPLLk
Threatray	4'691 similar samples on MalwareBazaar
TLSH	T11405623D18CAA567D278EF964424EA59F2C3B38237835BBE75D2C6618002339F6D139D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/413402/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.30414.25213.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64abbef9dbb9e835463f67ce/reports/9eae068d-9a01-45cd-a564-8a52f429e174/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/f456cc467fb715d5a47451118ad6fe4529a593c31e5ff402cd52934b23a24b2c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6efca9d7-cd73-4502-bc4f-e4137a444b5d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1270321

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f456cc467fb715d5a47451118ad6fe4529a593c31e5ff402cd52934b23a24b2c/

Threat name:

Win32.Trojan.ClipBanker

Status:

Malicious

First seen:

2023-07-10 02:13:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6rlmyrt7w4k5ljdukeiyvvx6iuu2le6ddzp7iawnkkjuwi5cjmwa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1d0cf9a5e034371075cf0a328d98c53f4eeb74325d61ee956222346ebb1f5497

AgentTesla

22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2

AgentTesla

53e575805dc9d69c41f366e65946a7d4adf051f322f463f70e9b2f80d50450cb

AgentTesla

5b1d470fd0b7b2edef114e5834f29e6fbe844c292a449a7d32bc402b8840f697

AgentTesla

cd917c86fe27ecd3feeca690377817bce1f4034830e6d68a19dbffc8c61e97bb

AgentTesla

e5b3f5c88055487475981257a3146b756a653845e01c66141d3547192805a8f3

AgentTesla

f32fa75689c2875fc313105007b2b9ca1080cb75de4da9b58f2e3ccdb178ac1d

AgentTesla

+ 4'681 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230710-kqvahaac4x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

SH256 hash:

a086a0363cfa553050218e7f3b4513733aca83080de8eb2643db2c839eec9d4d

MD5 hash:

47161e51fea655d9d429d50f94738ca0

SHA1 hash:

68176c4d7e92c9164703524d8e0e55fc94cfa37c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

Parent samples :

5b1d470fd0b7b2edef114e5834f29e6fbe844c292a449a7d32bc402b8840f697
f456cc467fb715d5a47451118ad6fe4529a593c31e5ff402cd52934b23a24b2c
21c4d71cebc688935ce9478821fd103894c44fb249b4c00fd3f8415fa90d6db6
1a02d7fa71451609f38cdd2cc9a62c9254c4772316dba90087ccdfd2d2a7ac5a
a641e8bafd27fb1423a65ca1a22338297173deeb3fab7931a36383f317221b95
40cd96e25835eeba956645398ed73a0f0e14563375530fa5f2db3bcf44dd88d7

SH256 hash:

d3a67812fa7aa3b0c34741f14f6c2cd40adec68732b9ade785fe6b6f0a0fd9a5

MD5 hash:

263a9df80372ba3ce3fd9d501a9534a8

SHA1 hash:

427bf64f37c6ea67949e9fa4f131d4f8527a382a

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

SH256 hash:

a086a0363cfa553050218e7f3b4513733aca83080de8eb2643db2c839eec9d4d

MD5 hash:

47161e51fea655d9d429d50f94738ca0

SHA1 hash:

68176c4d7e92c9164703524d8e0e55fc94cfa37c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

Parent samples :

SH256 hash:

d3a67812fa7aa3b0c34741f14f6c2cd40adec68732b9ade785fe6b6f0a0fd9a5

MD5 hash:

263a9df80372ba3ce3fd9d501a9534a8

SHA1 hash:

427bf64f37c6ea67949e9fa4f131d4f8527a382a

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

SH256 hash:

a086a0363cfa553050218e7f3b4513733aca83080de8eb2643db2c839eec9d4d

MD5 hash:

47161e51fea655d9d429d50f94738ca0

SHA1 hash:

68176c4d7e92c9164703524d8e0e55fc94cfa37c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

Parent samples :

SH256 hash:

d3a67812fa7aa3b0c34741f14f6c2cd40adec68732b9ade785fe6b6f0a0fd9a5

MD5 hash:

263a9df80372ba3ce3fd9d501a9534a8

SHA1 hash:

427bf64f37c6ea67949e9fa4f131d4f8527a382a

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

SH256 hash:

f456cc467fb715d5a47451118ad6fe4529a593c31e5ff402cd52934b23a24b2c

MD5 hash:

8fa0111dbf50f3acd6262d24dd93561b

SHA1 hash:

8673189a203a11b60461da6b751beb2fec383dd2

Link:

https://www.unpac.me/results/f52b70a4-0d92-4490-9393-b96a14edf2a1/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV4 Create hunting rule
Author:	Rony (r0ny_123)

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it