MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69
SHA3-384 hash: 319e43005a4d3159c4897322f8ad158e19405d722c2461855c3b15f63068a61e370635b40df1a6cf637aa8684a2db955
SHA1 hash: 7dab913d9e2829acae4fec7abdb27fc1a8278d30
MD5 hash: afa3e4b992ae2325ad061289101b8a28
humanhash: snake-burger-queen-fanta
File name:MACHINE QUOTATION #ALAM11222.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:526'848 bytes
First seen:2022-11-04 06:22:35 UTC
Last seen:2022-11-04 08:14:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:520TSd3on0aEfl+hwiNJ+noA5+2P/vpyzLtB+/Bj84jCBB:nTjncswlnoyl/Bg/+/6KAB
Threatray 529 similar samples on MalwareBazaar
TLSH T189B4F1EDF80FD9F2CF69D672ED8291B5A42039F93208157ABB1CBB31502124E6D41DAC
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MACHINE QUOTATION #ALAM11222.exe
Verdict:
No threats detected
Analysis date:
2022-11-04 06:25:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8337cce5-0b98-4833-bce7-30852432093b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328345/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63336347.13417.19483.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive packed
Link:
https://www.filescan.io/uploads/6364afc815611f8d8bf8c0f5/reports/8841c148-1188-47d0-a1ea-46050457c997/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/35428b7e-607c-4d2f-8ffe-7dcf4e81e4bf
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1105162
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 737823 Sample: MACHINE QUOTATION #ALAM11222.exe Startdate: 04/11/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 7 other signatures 2->47 6 MACHINE QUOTATION #ALAM11222.exe 1 2->6         started        10 newapp.exe 2 2->10         started        12 newapp.exe 1 2->12         started        process3 file4 23 C:\...\MACHINE QUOTATION #ALAM11222.exe.log, ASCII 6->23 dropped 49 Writes to foreign memory regions 6->49 51 Injects a PE file into a foreign processes 6->51 14 CasPol.exe 17 7 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 27 ftp.code-jet.com 162.144.23.32, 21, 35607, 49698 UNIFIEDLAYER-AS-1US United States 14->27 29 api.ipify.org.herokudns.com 3.232.242.170, 443, 49697 AMAZON-AESUS United States 14->29 31 api.ipify.org 14->31 25 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 May check the online IP address of the machine 14->37 39 6 other signatures 14->39 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69/
Threat name:
ByteCode-MSIL.Trojan.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 12:28:02 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6r2c5my4rmwg37jcwa5o7yynjci5kd4i44fvxqt5vyc7wotblvuq._file
Verdict:
malicious
Similar samples:
3a64393091b5986993f20990f8709a8e0e06375d692b5721c216eda9782c6f5d
AgentTesla
44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe
AgentTesla
4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4
AgentTesla
6b7204b9938cdc7e24b589faac4e12ed848c7121269899614b38bc95784845b9
AgentTesla
9d0cd2b1f470af7bba55345850c4f2b24ba96b9c4c361e4ff75c14a72bb3e7de
AgentTesla
b13bc9c14764fa971ad6e5f0d4583ed0a25b4ffd7a426a2b7e28567f78c4d165
AgentTesla
d3c0d9f3e9555fac2f6c6431339c4556f2d87b5479543a927040c4ddfd1e25ba
AgentTesla
+ 519 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221104-g5gq6scch2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1cc69a06-b23e-4be7-9201-a46fd7b39c38
Unpacked files
SH256 hash:
f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69
MD5 hash:
afa3e4b992ae2325ad061289101b8a28
SHA1 hash:
7dab913d9e2829acae4fec7abdb27fc1a8278d30
Link:
https://www.unpac.me/results/5f890c3f-2c8f-453c-bcb7-93e737240208/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/328345/

Comments