MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash: 8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47
SHA3-384 hash: 5403ac75033cc11ad860eb3d11433f0b1709651837508298a7e0ede7174454af21480d0058ffaf47b36e69bbea65bda7
SHA1 hash: 8930a2e630f133dfb78e87e06b4f9ecd882a84e1
MD5 hash: 3a391e960ff363979a5ac9dc3a95c636
humanhash: skylark-cat-floor-eight
File name:Revised Proforma Invoice_New order.exe
Download: download sample
Signature AgentTesla
File size:636'928 bytes
First seen:2021-09-28 06:08:23 UTC
Last seen:2021-09-28 07:00:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (23'043 x AgentTesla, 5'566 x Formbook, 3'013 x Loki)
ssdeep 12288:Wcdn9Pox2engU3L9iCXCQUy+NLBreWNAMg+MMMMMMMMMMMuMMMMMMMMMMMMMMMMR:WG+9cCStVreKg+MMMMMMMMMMMuMMMMMp
Threatray 10'327 similar samples on MalwareBazaar
TLSH T139D46C716241AC96CAAB0C3AA905EDFC0D213DAB931483A4F5FC3D9F70F6D724D585A2
File icon (PE):PE icon
dhash icon 74fcd6e4d4d4d4d4 (4 x AgentTesla)
Reporter @cocaman
Tags:AgentTesla exe INVOICE

Intelligence


File Origin
# of uploads :
2
# of downloads :
105
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
Revised Proforma Invoice_New order.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 06:10:08 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491993 Sample: Revised Proforma Invoice_Ne... Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 5 other signatures 2->37 7 Revised Proforma Invoice_New order.exe 5 2->7         started        process3 file4 25 C:\...\Revised Proforma Invoice_New order.exe, PE32 7->25 dropped 27 Revised Proforma I...exe:Zone.Identifier, ASCII 7->27 dropped 29 Revised Proforma I...e_New order.exe.log, ASCII 7->29 dropped 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 11 powershell.exe 16 7->11         started        13 powershell.exe 16 7->13         started        15 powershell.exe 17 7->15         started        17 2 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started       
Threat name:
ByteCode-MSIL.Backdoor.Androm
Status:
Malicious
First seen:
2021-09-27 19:24:38 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
356bf3f3bc5b4fdb72280d574367b1710933625b32efde68f49d7468810be152
MD5 hash:
a96e1e712903d94f944797528242b911
SHA1 hash:
0f6ba5b5c6f3fbd490c72d173a5a2264dd3d0baa
SH256 hash:
8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47
MD5 hash:
3a391e960ff363979a5ac9dc3a95c636
SHA1 hash:
8930a2e630f133dfb78e87e06b4f9ecd882a84e1
Malware family:
Agent Tesla v3
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47

(this sample)

Comments