MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1178534bbcdade87eb65a5b8dc7ff6d0bca0a28c946a90914363bbf2c3e367c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	1178534bbcdade87eb65a5b8dc7ff6d0bca0a28c946a90914363bbf2c3e367c7
SHA3-384 hash:	01185a19587a90da490e8513a0433dbd52706ae1605895e8bd9223bf9394580c334d4e8e22a60682bd0fbe925482e77d
SHA1 hash:	007d74e832415f54780af4fad87a33c30728505b
MD5 hash:	fd2c62b5faaeaf9db61e84198543dcab
humanhash:	foxtrot-black-sodium-utah
File name:	awb_shipment_invoice_tracking_1215202200000000000000021.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'007'104 bytes
First seen:	2022-12-15 12:14:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:rKeHV1vvvkp6/ckkdDIB7i06Yw3bnie4djHUrFaJreJgu+EiEeNwrzUib+IL1C:Qk0MB7i06Yw3bnIOrHt+Ei7NqHp0
TLSH	T1E5259C0A70D85D59EB51EAF10740BAB13A933FAD65DEAA3C4EE83F4D0532618DC241DE
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f0dc9eb69696c0f0 (12 x AgentTesla, 6 x Formbook, 3 x SnakeKeylogger)
Reporter	0xToxin
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

awb_shipment_invoice_tracking_1215202200000000000000021.exe

Verdict:

Malicious activity

Analysis date:

2022-12-15 12:18:27 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/9286e6b0-a5c3-4936-82db-e62e2836f6da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/346615/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Launching a process

Creating a file

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/639b0fc9eb30169fa848d355/reports/99fd0d6d-f210-46ed-af4f-9a6264b13916/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/df3a2c74-0991-4918-853c-cc3ef53b5608

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1134976

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1178534bbcdade87eb65a5b8dc7ff6d0bca0a28c946a90914363bbf2c3e367c7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-15 11:53:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cf4fgs543lpip23fuw4ny77w2c6kbiumsrvjbekdmo57fq7dm7dq._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221215-pew26scc84/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5672966801:AAGkdauVLuRijg4BBwGbZ-5sO2ggBTSZUHE/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/73a83625-8b9b-446e-8ac8-54f27237f443

Unpacked files

SH256 hash:

35cad145efd0b5b6396491150d2e307d4cb5e06d4f1b41aa310393c6dce520b9

MD5 hash:

56f8354a2e307e73243ff0056295fedd

SHA1 hash:

ed3257769ea438e1b5e86c3ef033e2deca86e239

Link:

https://www.unpac.me/results/24f362e6-7d57-44c4-b4d8-27994e61f7ce/

SH256 hash:

957685c09e6199625a987738ccb91ea58462d0a4056e92b80d7da8ba4a5f881c

MD5 hash:

b1b7522305543ceb0cb94013bdd2130f

SHA1 hash:

abfc949f237c64fac4ab6f2e947067273f90032b

Link:

https://www.unpac.me/results/24f362e6-7d57-44c4-b4d8-27994e61f7ce/

SH256 hash:

af0b33e47550ad05d97ab236c67fd94c024b9a203c746ffe886a2052c80697f8

MD5 hash:

aaaed9dab29523f775b7314462f55bc3

SHA1 hash:

6fc8d31c23c639c08f05210228c5449ff5fc3c05

Link:

https://www.unpac.me/results/24f362e6-7d57-44c4-b4d8-27994e61f7ce/

SH256 hash:

c3813699b586e52249a0e07a834964958701bafcf0b0516a9700fb3b3bf9e3bf

MD5 hash:

08ff28e6411a0ac9bda79b0c84147e45

SHA1 hash:

3356cf30b64425b083dbb4080d7e023a40fbbe74

Detections:

AgentTesla

Link:

https://www.unpac.me/results/24f362e6-7d57-44c4-b4d8-27994e61f7ce/

Parent samples :

90a12c6f1f1a444359902cea58e65e053edc3997be8b5b564a06a5072c0e334e
1178534bbcdade87eb65a5b8dc7ff6d0bca0a28c946a90914363bbf2c3e367c7
c1b9ddd584078ecf7375239eecc419c3ebcf441c71db62b8e559b88613861026

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/24f362e6-7d57-44c4-b4d8-27994e61f7ce/

SH256 hash:

1178534bbcdade87eb65a5b8dc7ff6d0bca0a28c946a90914363bbf2c3e367c7

MD5 hash:

fd2c62b5faaeaf9db61e84198543dcab

SHA1 hash:

007d74e832415f54780af4fad87a33c30728505b

Link:

https://www.unpac.me/results/24f362e6-7d57-44c4-b4d8-27994e61f7ce/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1178534bbcda/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/1178534bbcdade87eb65a5b8dc7ff6d0bca0a28c946a90914363bbf2c3e367c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/346615/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample