MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4dd348e024bb4464e90366feb9b0096d93a1523eaa12254c5b30c0af7c918c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4dd348e024bb4464e90366feb9b0096d93a1523eaa12254c5b30c0af7c918c2
SHA3-384 hash: b573dd8714c59ba26b2c7f201a7452f978addbd4af370501a676fe923fc1ee84e08c2cec17511710190c2110036c4ee0
SHA1 hash: 422ca43d03fb15c85c9bcc1eaae10b5ee0d5a090
MD5 hash: 3424ba1aff62462198f89fcd1a2fa884
humanhash: cola-idaho-uranus-mountain
File name:ungziped_file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:630'272 bytes
First seen:2023-09-04 06:04:09 UTC
Last seen:2023-09-04 06:38:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:bHy2RoB3wQTn00/yKjXfsBuJNmSQbOn6Ym9Po7fPSyOQW1tlovGOtDIAvNocHUWk:bHmB3W8lxJNmSQbi9AI0tloOsHJUG9O
Threatray 5'569 similar samples on MalwareBazaar
TLSH T12DD4026F0FCA7E72C56E0B7540212A8873F5C8429373E7BB1DCD007CA9D665A9F02969
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4d466666465e4f57 (4 x AgentTesla, 2 x RedLineStealer)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ungziped_file
Verdict:
Malicious activity
Analysis date:
2023-09-04 06:05:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ef4d89a-f88d-4330-b33d-c17b6925c0fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445943/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.25485.10334.22844.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/64f5739288e500d7249200f0/reports/7d78fa21-44b7-4fcb-bfc1-ae5f194f1754/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f4dd348e024bb4464e90366feb9b0096d93a1523eaa12254c5b30c0af7c918c2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68955bda-ac1e-4ec2-8466-4f1490894b6d
Result
Threat name:
AgentTesla, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302627
Signature
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4dd348e024bb4464e90366feb9b0096d93a1523eaa12254c5b30c0af7c918c2/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 11:03:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6totjdqcjo2emtuqgzx6xgyas3mtufjd5kqsevgfwmgav56jddba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0df214faf5a5bacc151bac2a04889720a9db05735f8711adbc6909ee1602e243
AgentTesla
2c8cc3ff4c0689126fbd7611c34fbe5f545231683d7bec91553d0df2a6270286
AgentTesla
2eaf94da95c7c5bfeee85e0c9b2eeb4203bc708e8538061624082b61866bc3b5
AgentTesla
3807b05845559f4ea717756c87357b8cfd9b9909a4d3f738f35ddc2bed88c35e
AgentTesla
527667bc0981c49c8b4240170196700630a848bc7f3890ec6733df750d201d9b
AgentTesla
534bc98179bd7a6f7c7491fdee34ff06ae1d90f7bf1db29586d39a5ae971eea5
AgentTesla
a99950332da46a51e1aaba6204df22a2c94926d9ac2691ac63cdb3cc6f9f3098
AgentTesla
bb8d35a8553ccd23f5261bed1353f301f6483fb67a5198fded1fc1022a21481e
AgentTesla
fabbc9025f69a3acca316e85321c79bf83901f320a03d1efbd864037f5c7085d
AgentTesla
+ 5'559 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230904-gs66aseb3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8f7d00afd800a955bf0b9aae14ebe974a69bd059b21ec9b68bb8114d41395c2c
MD5 hash:
3e98369f4c54ac22d111b651660a7622
SHA1 hash:
d9cfa96543d12f857471422249726aac6d7ad102
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/26a1808b-8f79-47f1-8776-80b587493e6b/
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/26a1808b-8f79-47f1-8776-80b587493e6b/
SH256 hash:
720eb7865aa32950f28737087178ab60b13de358aeb838ede500c50f7235cc69
MD5 hash:
59ff3aedb3f9df07f7ed61aeec39d6d7
SHA1 hash:
d3df5789a205f7849ae626045f6fdb5a7a80da7e
Link:
https://www.unpac.me/results/26a1808b-8f79-47f1-8776-80b587493e6b/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/26a1808b-8f79-47f1-8776-80b587493e6b/
SH256 hash:
f4dd348e024bb4464e90366feb9b0096d93a1523eaa12254c5b30c0af7c918c2
MD5 hash:
3424ba1aff62462198f89fcd1a2fa884
SHA1 hash:
422ca43d03fb15c85c9bcc1eaae10b5ee0d5a090
Link:
https://www.unpac.me/results/26a1808b-8f79-47f1-8776-80b587493e6b/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4dd348e024b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4dd348e024bb4464e90366feb9b0096d93a1523eaa12254c5b30c0af7c918c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f4dd348e024bb4464e90366feb9b0096d93a1523eaa12254c5b30c0af7c918c2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445943/

Comments