MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09
SHA3-384 hash: 588a66703ea8812dfa23a635fea81c97661d8898ddca82666c0b2ac474975ea200dc5a682fce643f19ee9635400dff4b
SHA1 hash: 0e7e7001ad3e6ac8c0ebba16451551678c66f3f6
MD5 hash: 0c9f6ebfebc42cdcf20144a42bac6f8a
humanhash: quebec-fanta-harry-stream
File name:Transferencias-00202305.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:712'704 bytes
First seen:2023-05-07 16:14:22 UTC
Last seen:2023-05-13 22:58:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:Y2A22OmddXqtacvwaOTAeQJmrfOETiQQD5SWDjYuUXFSC6WZaMT1MNmSLrGJI:HAbZcvZORrgQQDxXlU1SErBMsW
Threatray 3'066 similar samples on MalwareBazaar
TLSH T1C0E4E1213379FBA1DCE583F8720CE4015FA45D50A3B9FAE88DCBE0D45598B19E7606A3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transferencias-00202305.pdf.gz
Verdict:
Malicious activity
Analysis date:
2023-05-05 18:29:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08c15680-2f1a-4eaf-93c4-33024d88e71e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387332/
Detection(s):
SecuriteInfo.com.Variant.Barys.351838.21653.15358.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys formbook packed
Link:
https://www.filescan.io/uploads/6457ce8636a9691aaeddf75f/reports/33a0a36f-5805-4772-be0e-6b6927ae0659/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6544cf0-fd16-4838-b1b7-374b4c358036
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227839
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 17:09:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6smh3lhxfy46qldzvgcaf5cpqprwj5hbvfwibdn5z7jdfqtw7ieq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d
AgentTesla
4c88e26f710c4aec376be1d0162bc0edbb5dc0092f5c786c9f5c15b4c5bc9706
AgentTesla
5c76a96da653327e6693cf7b0cd13af04dccdc8cab2692fdb707b293c197c2ee
AgentTesla
6c9edf76efc88d3ae9ba10f36ac4e5b30ad4b5766a41729bba53f78fba84c0bc
AgentTesla
784074560889770845788ca5875ff3660a30fb85d27823c017b209b101be3499
AgentTesla
860da509a25f16cda9a80a5063d4b23bc6a702406fe3c94d69bfc10790219b4e
AgentTesla
b02d91d801822490ae3fa7315323ba054cb72aee687579a81419b7f38925e653
AgentTesla
b56529131600b58462657106380f4ec863397c8a51f52dba1ea33ec0cfccefdc
AgentTesla
c5b618054d855fffed65dc372080cdc5de39ca31edd513e7765a02c64f9b9e1b
AgentTesla
+ 3'056 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230507-tp7nwafb55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/d9325998-0947-41a9-8e2c-6afe3b860eb5/
SH256 hash:
cfbf7c2055b93d85a523d9bf978f79b11279f73934c1d90926223f2da9b781aa
MD5 hash:
45acc0a785790a3bf1c056cc583efa65
SHA1 hash:
bdac98c12ccd6d514d1c862d0371e7ea428a98ea
Link:
https://www.unpac.me/results/d9325998-0947-41a9-8e2c-6afe3b860eb5/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/d9325998-0947-41a9-8e2c-6afe3b860eb5/
SH256 hash:
bdfd3a90007f6305a48bf0297b5e0f9015cda1d82b1cb90ce6627bd9e7bc16cd
MD5 hash:
52c7540741d5e17d69e652ae8313bff4
SHA1 hash:
686cb503c1c90414566dbd1796b46ef0acfb231a
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d9325998-0947-41a9-8e2c-6afe3b860eb5/
Parent samples :
784074560889770845788ca5875ff3660a30fb85d27823c017b209b101be3499
f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09
1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4
bdfd3a90007f6305a48bf0297b5e0f9015cda1d82b1cb90ce6627bd9e7bc16cd
f1d17b3eaebacbc4bb2bbbd958910c39391ba63cf9ff0bc7ecbc8875dded84b7
32606aec367ff7a71d0af223af5d22075a6cebc9fb967e4f2b5903fdee682bf6
34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902
6603e18a8253f8d08941d0c458c8fc3baf185b5f2bdf9cd6854d83761f4267dc
ca6a6aecce39ebda2e107fbe004eabd01987ef49bc04078d42a566cc517be270
48fbad14bfadc210fb83d8281d7001bf056f5b96698ae2b3b27f4845045c02a8
4eff9b9fcfb59f8402b524565f92e905dbec8c610ec6dadaf9c3cb1fd5c3e5e0
a9cdb9cfeb1c1056c0db558d54cfa61d9f3dac179e934d2869f4bd829fe20819
b4e06eb03f2595cab0b744c37290c3641f8ceff3970fc4ebefae073e0b1fa780
5241d93369ff133d1aa4381a074806b10d37f414261f89f2198ef76d238b5ec1
9748fc497d427eb41191ea495d907cd5d2dd9455ed20bf08df947bdb15d84baf
SH256 hash:
7c119c515f18f5a3928d1d09af7b7135055c5d3c975b64d38284c86d238dd5d9
MD5 hash:
7ce00a044daa4e867e97b332a45e33dc
SHA1 hash:
239aec4093da223d60883035853227be21923f2d
Link:
https://www.unpac.me/results/d9325998-0947-41a9-8e2c-6afe3b860eb5/
SH256 hash:
f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09
MD5 hash:
0c9f6ebfebc42cdcf20144a42bac6f8a
SHA1 hash:
0e7e7001ad3e6ac8c0ebba16451551678c66f3f6
Link:
https://www.unpac.me/results/d9325998-0947-41a9-8e2c-6afe3b860eb5/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4987dacf72e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387332/

Comments