MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02cb460ba00233079c5d54b45aeaefe8000d5fd14da7c25f86ef2606587fc4db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02cb460ba00233079c5d54b45aeaefe8000d5fd14da7c25f86ef2606587fc4db
SHA3-384 hash: 3d2d8ad40051a88fe26f5affa039c0001a827052a083528437e8d5b16bd4d25e7f6c2b799f9dbfdd6efd391873114dbc
SHA1 hash: b28c7eca20c1cd30ce559f55b6e7b3f5c8d7d9ee
MD5 hash: a8fe01a374690767e9e37df662706fca
humanhash: batman-music-white-kilo
File name:PAYMENT INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:329'701 bytes
First seen:2023-02-15 13:39:27 UTC
Last seen:2023-02-15 15:43:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 6144:PYa6hsusOT6r/NG4aQCoPaAodQ0MfQxsByFzOz8EM/tHLe7XB/qcoXNghN1xZ:PYrRsEEbCzxdOy1I1UtHLcNqcoduL7
Threatray 26'144 similar samples on MalwareBazaar
TLSH T1566412897B74C467E8964BB02C3F46BA8FE0693118B1039793E0075D68B095A9B1F7B6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
3
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2023-02-15 13:59:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2554802-18ec-48bd-b952-7c09a8f2c86d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/366612/
Detection(s):
Sanesecurity.Rogue.0hr.20230215-1234.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/70361/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63ece0b8e897c0c33ceb8135/reports/06852658-7f98-4894-99f9-9b8b7114c81c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/02cb460ba00233079c5d54b45aeaefe8000d5fd14da7c25f86ef2606587fc4db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/901d6389-e938-4750-b66e-45614bd26f2a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1176440
Signature
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02cb460ba00233079c5d54b45aeaefe8000d5fd14da7c25f86ef2606587fc4db/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-15 12:28:17 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=alfumc5aaizqphc5ks2fv2xp5aaa2x6rjwt4ex4g54tamwd7ytnq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3652bafc6040261b1ee34d360ca1f2a28277a258e9ed843ff0b8c846df58f8ca
AgentTesla
3d36a06552f24dc4a5ac3a4d9594e30dee088c95c1139b6e2d1374130d9065d9
AgentTesla
420a5c46e9bf188d8e3b8b66732101e4f4a5626d6094979f2ae072399f391412
AgentTesla
4795e398d5dce733ecb352580be08b33ae668684856a5cf34a8cc21fa303c60e
AgentTesla
83fa00de7c51e2207ba81c20078eca85771a321a97dcb667e7c0194be918f522
AgentTesla
c5cb50f2a9e4e82bab699a454bfd0370d9b0990edfe795c7e2903cc2369935b0
AgentTesla
d6b1eec8bc20f67e635ce3b33938775757508384db07f1df35e4d09959f8cb6c
AgentTesla
e2bf337f1b1e280f6fd7e3ce9c6dd7c3c356d3063413ce88bd0679bfa84a4a95
AgentTesla
fcc4c935f6f38fdf9627ac990daa904194fd82410fac6c91d048c837d5190d86
AgentTesla
+ 26'134 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230215-qyj3dsbh88/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
839f0631951b319176fe67bca43de293a7d280733dd68bba7d2d328b42100c12
MD5 hash:
e59edcb9d1dd6eb9ad788c31037491c0
SHA1 hash:
acae5b5df718e6081368e104a4eff20b35a0da06
Link:
https://www.unpac.me/results/799fcdd8-6ed6-4806-94bb-5f236cc2ce34/
SH256 hash:
02cb460ba00233079c5d54b45aeaefe8000d5fd14da7c25f86ef2606587fc4db
MD5 hash:
a8fe01a374690767e9e37df662706fca
SHA1 hash:
b28c7eca20c1cd30ce559f55b6e7b3f5c8d7d9ee
Link:
https://www.unpac.me/results/799fcdd8-6ed6-4806-94bb-5f236cc2ce34/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02cb460ba002/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02cb460ba00233079c5d54b45aeaefe8000d5fd14da7c25f86ef2606587fc4db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ecb753038c8cf2e221ad6f94bb95fcfbac4d555103fe5deb2c425c0eeb32921d

AgentTesla

Executable exe 02cb460ba00233079c5d54b45aeaefe8000d5fd14da7c25f86ef2606587fc4db

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ecb753038c8cf2e221ad6f94bb95fcfbac4d555103fe5deb2c425c0eeb32921d
Cape
Cape
https://www.capesandbox.com/analysis/366612/
  
Dropped by
MD5 4730f226948693f11d339896d3a7eaa6

Comments