MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
SHA3-384 hash: 9c7cf38cb796d1b0b5296ac281f7df1d8b883853e2e9320d0b81bbce76eeb2029b2385845c90b7964f0a8126cb913f14
SHA1 hash: c4181196ede2c623619d214ecbe9f879b896786b
MD5 hash: 42efd4cde38bbbe915c02dd495100cd3
humanhash: alaska-skylark-johnny-arkansas
File name:shipping documents PI MLM MAMM0012.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:641'024 bytes
First seen:2024-01-24 10:13:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:v9jLBJI3aK2ik1+FrW3NPsvsXmwgea/Uk4L9COiYaW1mwx9mKLeQT65oK2KrUX:1jruhbk1+FqPsvsXmVbEDl1BxcQT6jdc
Threatray 1'015 similar samples on MalwareBazaar
TLSH T12BD42362F7CC377FEC9903B998A281B04B397945941FCE2D5C6AD0E98C69F500964BE3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 24cccaaacc99d264 (13 x AgentTesla, 8 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472693/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65b0e2f88dfc251a25fe0d32/reports/b8ba3c93-02f3-495c-9f39-eba254b94dad/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/522d69e6-7d7f-4d85-b268-98ddddcea5d8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1380186
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 12:45:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tpoevgvhddljzmjf7tteddnhxxh7zs6o3k6mby3leqy3v3l2wha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2139944dcc75ffd2ae23cf50fb751ebec4dffb7774764e8b4d48808f0925aedd
AgentTesla
36e763233ca3ff441f5ce71a59ec7b108f6329d27406b378758f6437a0f049c8
AgentTesla
63b1c49f2a5cb69d745bebcbf6f3a1dceabf30e813840a25eff4284d20220257
AgentTesla
c3820a16faa2878b05636b40e8571711ed71735a8fcc732c26a9d3ea357a8a5a
AgentTesla
d68bfd59c3db0b1e61fc5d88cccc6ed26da7bf1ce62dec8b7e820b2d0df77fb6
AgentTesla
+ 1'005 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240124-l9ngqsfgg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
f5419b672631d303e40394ffebcd94d4a1b81aa58c4f0453e6034be4267193b3
MD5 hash:
f45a4495debe22e93b3f17fa9f0998c8
SHA1 hash:
adbb827a3c4788dba9f00c4c97371007ccf8b338
Link:
https://www.unpac.me/results/67cd40d1-6511-411f-be8f-d142f5c85dcd/
SH256 hash:
b0ab5156c1e5e7fc9f968b880dbf42704e440bab63d5cbaef8bf2df2670a427b
MD5 hash:
06d41ddeb56d013297b1193efaa05bb5
SHA1 hash:
84efcfb35ae417716e85a01c825cf853d9ae0db9
Detections:
AgentTesla
Create hunting rule
MALWARE_Win_AgentTeslaV3
Create hunting rule
Link:
https://www.unpac.me/results/67cd40d1-6511-411f-be8f-d142f5c85dcd/
Parent samples :
55f02b8d7758ec40e4c629e239a6b7c4e8b232ea5a1652357f582ae1d64782b1
ffafcbbf3656e0ace64d99d6e93abd741386bf0a4542839a5c8b9db8414b7a1e
ba37331dfdcb8da50797d4b8a3c5648f77fe9281cc6db7bdd65aaed080946286
673e3bfb2595b5d686e947a8a67b89e57271037c92a076ef8221b4fea0d387e5
b0ab5156c1e5e7fc9f968b880dbf42704e440bab63d5cbaef8bf2df2670a427b
e1f44a0055879abc0d8b0a75b9716e41d97fb0cc6c7669f27942dc3542551c29
fa6cfed07797c6a3fc1962de2c17bc2065431f4fdfa209b77d8a7f28051ec2d8
8949ce9874d73dae7318b895406ebce9811bbb8b834ed5195b9cb0783bfd1605
c3820a16faa2878b05636b40e8571711ed71735a8fcc732c26a9d3ea357a8a5a
0e738141435d85c326c49dba8cdc7bfdc990188d32f3447e797162bfaabb3301
ea02c25b3f82b2b175a483d4afe54e0c75e733865c2bd150670e7d296cd0dca5
36e763233ca3ff441f5ce71a59ec7b108f6329d27406b378758f6437a0f049c8
2139944dcc75ffd2ae23cf50fb751ebec4dffb7774764e8b4d48808f0925aedd
c32e369709b4820964c1ec126228f516bb4fe56e138ecbe5a3828603c3f8b7a7
d68bfd59c3db0b1e61fc5d88cccc6ed26da7bf1ce62dec8b7e820b2d0df77fb6
63b1c49f2a5cb69d745bebcbf6f3a1dceabf30e813840a25eff4284d20220257
8f985f295e769cfd6436d575d39b83ff17892794e90becbbc673eef403c70ca5
18ab014eb02b94eef74b9c6fd3f84a8e9c593d9cd8deca6fc5d50adb723dcc83
f7431cb039b7b6deb859f5afd5c813fca0f9a1b47dbcb0cd7bba5ce3a9b754d9
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
04709040eacfb086cb71024a846c381ba9aaaabc80580aa2a63057df7ec218f9
15ca9c4f1fc178f2f528b1c6d677a77a93b8fe1130172137cf6a8d748eb66f65
252eaa61a695de83aca6a07ebcb56562204aee69b42f1836bfbf5cf9d64f149c
35befae36a2f6c5d15da8d5ec83ffac9d42e32ea67a63b42fe9e230c5bd97462
d8385e24dcc05c0115ca31d9af40862be2918e6e14f1d5c83925827484ecdf8a
67f529dd5840b8cfa3b8c08d4ff21f6767fda83343a508536ce7a9a643198f0f
a8c3823229eea7d77b5f4a95176e9164ea666e7223ef94307973af7995c7764f
SH256 hash:
853f530579b4aa0d5f36b83fb15310d1165c59906bc8dda245b686c26a2fe574
MD5 hash:
6dcd36e908965b3a3c4ab333fcbb6f4a
SHA1 hash:
2d4f917ce319c586cc77c54ee2c80616c5467d32
Detections:
Saudi_Phish_Trojan
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/67cd40d1-6511-411f-be8f-d142f5c85dcd/
Parent samples :
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
3730cb53c74ac925b65e3c43e603f1a2664d5b06d1c9239403a7178ce9c3e4e0
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
46de16ca8457889b62194d6dfc6a4baedc6ebda2feccb40cfede71e5ef8909a9
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
c63a10d8a92a5348801360fb963792f3f4309d6801eee6fa63038333f6b5d830
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
55f2afe80aaf7acecb9a81cd6171b4bf54a30aca00df32c4fc42aeb37d383f39
8826eb70de19f0bde0925ea53e0e33510e5414658ceaf5afacb6c1fb180d9745
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
1114073506daab881c22bce61bd90102035168e438f38e854f6ec4c06d6d32c7
7bb92c2e39257c484c80d3b38aa3434b89eb60ff3af59d9213768b584e4f30ed
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
1a4bea91e3d72f6c78b16e46376c9705c50d45f0c1ab05b0145bed9b8a33e477
64b31e1b3603d676bdc0bbef41f539f4512bb295f019e25989694bfe05431b83
4860c4829d6149b7b05d263746a1f28702c98d9e187eac27c32f6b2bde162e9b
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
0443311f4b05218b62f48a55e9352a7bae03736be86f25590419adf5839f23c5
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
33cde805b1aa4d8bdab56b02496c00745feadbbf0931c1f759fb9669d0090b80
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
789f724c88740882c6fef87be7bdf47461cd59482f41fa18d48ad799b9cfb931
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
9ab459961a61e4b570365b270bbd8f19ce432275f7d5a44c22fea3efba69fa9c
9d381423ee9f27108e8df36d255f1cfa33e6873ab0d7827d72b47d548293024b
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
59271e92e53dd84c1525724e5157c22a417a7875473031fd268245033917f97f
SH256 hash:
49f12025017c6a5aec4d4b5c661048b49e05635297a55aba88e28b8ca74ef0ce
MD5 hash:
66cb5e8d0fd00d3f69cc260ce48dec0c
SHA1 hash:
11fb2d2634ad099a38a9814b52b5e2778e7c9e89
Link:
https://www.unpac.me/results/67cd40d1-6511-411f-be8f-d142f5c85dcd/
SH256 hash:
2c53810fcf7bb01f5139290c853ece462ccbe7f7a7d4c0b0a05bac37bf96ced5
MD5 hash:
9932e699c89a6305b641ed9fd25d16b4
SHA1 hash:
09d327624bc10d87fa87706e3b6d5e039d15e93e
Link:
https://www.unpac.me/results/67cd40d1-6511-411f-be8f-d142f5c85dcd/
SH256 hash:
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
MD5 hash:
42efd4cde38bbbe915c02dd495100cd3
SHA1 hash:
c4181196ede2c623619d214ecbe9f879b896786b
Link:
https://www.unpac.me/results/67cd40d1-6511-411f-be8f-d142f5c85dcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/472693/

Comments