MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4eda49ca8e4098cd24842ef3b8c0ac249e10fd106c8c59815a3af3b1bf96778. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	f4eda49ca8e4098cd24842ef3b8c0ac249e10fd106c8c59815a3af3b1bf96778
SHA3-384 hash:	a5042f0827a00e005f743eb38501e5aa6ac00cdf29fe005cf7ce6b2f2bde8e7bdce2a91d51c0a1259c3f4b28d9b847cb
SHA1 hash:	6a796969b864595831de75385d43e408192e613d
MD5 hash:	e09cedff281ffabeea998c023fd1452a
humanhash:	uranus-fix-uncle-three
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.DZG.genEldorado.2340.23025
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	968'704 bytes
First seen:	2021-07-19 06:56:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:cw8/ZJyvUIZbVlBPI2VBPy4dux7zWLOvQELHSTMSJSg6+7ZtA3gJDBRIQJ:/xvDBlBPIOBPy4dIUOoEDdg6+7wQBI
Threatray	7'053 similar samples on MalwareBazaar
TLSH	T17E25F1263227A214DC3987F41C65C1B12BBEAC2A572DC27C2EC4AD7F7D726BC5AD0590
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Kryptik.DZG.genEldorado.2340.23025

Verdict:

Malicious activity

Analysis date:

2021-07-19 06:59:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/31b49874-92c5-4aac-a323-baf0d523b5f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/172485/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.DZG.genEldorado.2340.23025.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21324fce-26a5-419a-bd0c-7ce2e4f87c95

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/818084

Signature

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f4eda49ca8e4098cd24842ef3b8c0ac249e10fd106c8c59815a3af3b1bf96778/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-19 06:57:03 UTC

AV detection:

8 of 46 (17.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6tw2jhfi4qeyzusiilxtxdakyje6cd6ra3emlgavuoxtwg7zm54a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

22cfd286f4b15dd23e9bd7236fe86a0d13a8ee465127fdc7713f57c61d13b308

AgentTesla

2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e

AgentTesla

2d3642f2c997cdd1a84d283738cd6d09f321f681dbc26fab6cca262d59401e20

AgentTesla

4bc5afb7fa8639008d294a8afb8f42531bfcf084398600500bdc81533602c760

AgentTesla

6abf5552765851e4db6d8346af1473568c7d1497fd848648e32bd1c5c8d8cb2f

AgentTesla

70bba7ae7db7a571dde9f6e9adad50a1b4fb32b8757f5d6cebb3d73b833644f6

AgentTesla

7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6

AgentTesla

cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825

AgentTesla

f5e0c3bfd23d86f0cdef681b4922c59e77fb094bacd29add988ff6c9a30d850b

AgentTesla

+ 7'043 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210719-s8421n4n1s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1

MD5 hash:

b1a7b752b6638ee03cffe5a1dde9213e

SHA1 hash:

52d215a173d2f293990f8c12fc7f4a86330a29cb

Link:

https://www.unpac.me/results/43e10b48-0e8f-41ab-a91a-9707d249ef3e/

SH256 hash:

f4eda49ca8e4098cd24842ef3b8c0ac249e10fd106c8c59815a3af3b1bf96778

MD5 hash:

e09cedff281ffabeea998c023fd1452a

SHA1 hash:

6a796969b864595831de75385d43e408192e613d

Link:

https://www.unpac.me/results/43e10b48-0e8f-41ab-a91a-9707d249ef3e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4eda49ca8e4098cd24842ef3b8c0ac249e10fd106c8c59815a3af3b1bf96778

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/172485/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample