MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd
SHA3-384 hash:	f61e69ca4605f9b2714880cec9b31ccd4ed57358bec7502c379908564feb5a1be3266a0ca69c100bb59ba23adcbbfa1a
SHA1 hash:	4ca31c90c511e6deca6a003f017f0aac68cea1d3
MD5 hash:	865453d35978362a078b83a0d81fd4d7
humanhash:	sink-queen-south-hawaii
File name:	f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	953'856 bytes
First seen:	2023-06-08 10:51:25 UTC
Last seen:	2023-06-08 11:41:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:kz8P0OEsxo86h6ZAx1GSlnNHL8JG67YDtzH:1P04o86h6UsuxLIVEtzH
Threatray	4'983 similar samples on MalwareBazaar
TLSH	T15715D09062A48F19F6B69BF65272E53447B53D25F626D21C0CE07CCB3E76F822A01B53
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	3119113da9a9a929 (8 x AgentTesla)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd

Verdict:

Malicious activity

Analysis date:

2023-06-08 10:51:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a21864fe-ff29-4955-abe5-9d7f3bd330b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XorStringsNET

Link:

https://www.capesandbox.com/analysis/396902/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33760859.13491.13023.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/6481b2d3ac63cac41b5366d8/reports/97599597-9e1c-40d8-9644-4da0f126b6bf/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/43d4186c-2f39-43f5-99e0-65b29307a5ff

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1251090

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-05-19 11:49:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6rorhgd5ub6ejqkyq2tbwbjuevhi37cvxhokcykw35pcuin7yx6q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56

AgentTesla

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

AgentTesla

82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700

AgentTesla

92a4f2858bb9f3e546b315c52ee4e07903125b02f55c23cc8ae3e32e2012b2e0

AgentTesla

a21c508de19d0b316579d1686ef31559928d3d0c105e0f41b16aac61cb1218d9

AgentTesla

ad4b09d5bd45cb28e02d15b16313813aac8db083363be6aa81d2d6e53ed97a9a

AgentTesla

b3fbab4d8090fb6109b890d24c1e457db6e3f6bd5e17c6be2f2cb8448d53d5ab

AgentTesla

b9898a0817f9176be00846dd5c37234d9e8631b148d137df6950d57af6681abc

AgentTesla

d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74

AgentTesla

+ 4'973 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230608-mydntsfb2s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6277498666:AAH4URlmeSysUKKZG20OTvrve55BRMLEu_o/

Unpacked files

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/e691fffa-36a3-4d60-8f82-45e938384d2a/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

463191bfb464a6e0c25b2e5117304f59ccd1e8a1547e3ef0764d104800e86643

MD5 hash:

5c46dd3f7534681d5556a0fab5384175

SHA1 hash:

608a5491381fad8a18ac812e4f8a81bff38ff3fb

Link:

https://www.unpac.me/results/e691fffa-36a3-4d60-8f82-45e938384d2a/

SH256 hash:

489c23ef0a347e9d4782527f5e971e3f80b37dfd50eeb603152a4dcc922b5890

MD5 hash:

5c473cd3b5de7a69be48d33b605863a4

SHA1 hash:

48cd124db4555e5b8224deaa8a0ea88081aa1ee0

Link:

https://www.unpac.me/results/e691fffa-36a3-4d60-8f82-45e938384d2a/

SH256 hash:

f9021a9e1610a19bafd9f21c3ae02c8d4311e51c26088bad0b4656d12696269f

MD5 hash:

10a323a5614f656ff87524ec3a3954ea

SHA1 hash:

31fe827daa419d117c8ac75fff8253c57cb014d7

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/e691fffa-36a3-4d60-8f82-45e938384d2a/

Parent samples :

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067
0e77fc7adca97943ad5bca6f1cd20d05e80bcdda01b29087bf1d6fccd4379063
b3fbab4d8090fb6109b890d24c1e457db6e3f6bd5e17c6be2f2cb8448d53d5ab
92a4f2858bb9f3e546b315c52ee4e07903125b02f55c23cc8ae3e32e2012b2e0
577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56
d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74
f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd

SH256 hash:

b178430918654661133e3cc86f68618dac7c1a56092e89c8d474cf3f05390a23

MD5 hash:

a74d4ff639d43c44d7dcf925dfc3b2d1

SHA1 hash:

1db08e8f485ac81d554e836a784589ab4cee8486

Link:

https://www.unpac.me/results/e691fffa-36a3-4d60-8f82-45e938384d2a/

SH256 hash:

f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd

MD5 hash:

865453d35978362a078b83a0d81fd4d7

SHA1 hash:

4ca31c90c511e6deca6a003f017f0aac68cea1d3

Link:

https://www.unpac.me/results/e691fffa-36a3-4d60-8f82-45e938384d2a/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f45d13987da0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/396902/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample