MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
SHA3-384 hash: 218a5b780bb058861e6b0b6e2a4350319d6654aea9b711cc48b005c9e5762c65799ff153d3a69c84b4f8b8b0fe477d32
SHA1 hash: f2c932de238331f07a9f98cf5396c132a68ce511
MD5 hash: 880ece5ad6373043b4dbdd2a001209ce
humanhash: tennessee-white-juliet-nine
File name:Invoice_Payment_Confirmation_INV#240085.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:778'760 bytes
First seen:2024-12-09 05:45:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:1BdY9shQg8HLd1/d5HckhUgPCOPQdayOxZTCvvSByAN0RqqhSvwB3lSf0OGXekR:Tdhl8HLHDH3hkOPkGsXSBHN0ThkmVSkV
Threatray 829 similar samples on MalwareBazaar
TLSH T13CF4F1A4BB1DC513C9801B745EB1F3792669AE9CF921D213AEE8BFAF7CB16151C04183
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 30d4f068e9b0d430 (7 x Formbook, 5 x AgentTesla, 2 x VIPKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice_Payment_Confirmation_INV#240085.PDF.exe
Verdict:
Malicious activity
Analysis date:
2024-12-09 05:47:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6989ba06-c545-4bb3-9cb1-6d8c49b60e8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25647.24183.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67568421469da547b3977b58
Tags:
virus micro lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6756841e8ed8dce5cbbc5acf/reports/35917ac4-4178-407c-be60-7fd796d5082a/overview
Verdict:
Malicious
Labled as:
Variadic.A.410.Generic
Link:
https://www.hybrid-analysis.com/sample/123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf2607f9-4750-4243-a0c5-43ff9bdbffc6
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/1571206
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-12-09 04:54:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ci5pxejkizxjxhpstce6svmvuory3beu2wrijilu5rcmeq7kgeoq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
31280f11bf64367779cdf2d9e04b62fd7ad53c28fd44bdf70e7793583793aca3
AgentTesla
7a43feca0b94dac643e10cc217a4dd5d519399791611fb9629aa186ba277ab00
AgentTesla
b7f92bbf59df7cfb571012b7aefa91bdc9f25b9cbced01e91dec5b0fc1380f7e
AgentTesla
cfe2721470f3d2165536a03920786dc6ad9a85cb8efd74362be8315ed261cbef
AgentTesla
error
AgentTesla
+ 819 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/241209-ggayqavngn/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f4aba2c7-3e15-41d4-8dd4-8841dadcad39
Unpacked files
SH256 hash:
c7cd04a550d73eddc937107252597ef327dce4c2ae5e951facc534ba756eb032
MD5 hash:
010505726e9971964727185299879d75
SHA1 hash:
b605221465baa9ea826633a5ec2f969758e3eb94
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6d83e7c2-7e27-4238-8213-34205b73e199/
SH256 hash:
2fef79874cf9f038ce2e6892c03dea1cc23f39a1cebe6500beac276e0d00494b
MD5 hash:
77f472c207ec2cc123c04633607a4e61
SHA1 hash:
7b905cd11273520effaaf18642dce6f92e933b61
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/6d83e7c2-7e27-4238-8213-34205b73e199/
Parent samples :
227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a
0ecf60ff337dc16beed8a7faff49d2992ef4fe0f4c76ffc07457a011b382da90
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
015bd9fdf0c4d73684a6b6349fbdda67ba243e0f78923e1d9b4f535b5832b04a
8c9ecbc59525eb2696bc09eef4a3e15df74be78bf378594fb204349bc949edab
cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
7de234e703b36c03b4952a55b0b00112d2bac77b5106225bf28d4fbb7154e049
d30d43ea8f103340a2307145035f404873d3d345f310dbeba6fa20f85d3fb790
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
ec0c57ee02c554f4d9120e583ae49741d7699f6e893434c6de082fd7cf504b17
9b1796dd7887612da304445be63506b9677ba72c84f727d74ca5cabc5771d675
264363a6ad5f6720663cd201f8037f0c6f3bfda8216bb8f975e7df9fd9c699b9
8f382b44be98d01413be1f9dc3221e6565e35d73fe41a94f9727b9ce4c71d6c9
50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
5ca92658980b5d1f46f53d78202bd40e442163622e2edb5220046f74e5748945
cd676542bbeac4ff5dea88783c4e93b89971bdf60eaa04128f1d36078a4c2ad4
7bc91b9cdac45afdf50b3d0172e853c20d2040ceeca205bf2fbce469e12bfa88
50b149ecd824e894ea0702c35f1c693cf8a44a664ae3895b97330b8e5d7de21c
50e5353cf814e1f75d7c18a99c897670905b7e119d5d02cb532e0466819d68ba
7a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
120a2be02a522354992cb67454631495bc3116385e14cc77448444cb5176178f
27a97b69d2d9ea5dfcbf049ecd2796b25027cbe5c827da030cbf0ce1aeba5e35
4d968bf8e1e18956b459f9fce7e574cdee06e48559bc107ef42cec7777d58991
51717d0028159660daf45caf1db519581acda095d1fd2e49380abaa09c208e72
6bf4d235aec53cebe445d895500e0b9f15a9a245a078bbd49a65373371227f70
325c502174ac471c5b880cc4672193ca5ee66c94b22dad9831fd415853c7023b
752b6b1cff0314248ea1dc2f2ee4a3c8fdf9ed49da3dee49cb128a0e7ef98bc9
647c7306c455afa936e4e7b24cf8b676c9bde8e824089e397347ace6e3de793a
1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
1d409e94b935c68a4b4841a1b2e05c6abf1ea827c419eab8bf3ee23229574160
b71fb82589e3532a9390352bc87f7c2edc2cd7fae723fe203500350a31559e17
4c839863452a16a4d99b13065cf93b09547d04b86ba649a8b40976122ff67a74
2a8afcd73b04e7a6285d428d348753b5d4e91e8e0c62ec44a1e54f678923dc0c
d025bba170b25ae8d8fa113ff1c1ec0280f56ffc742ebaddeba285af3f704256
db1d735638bab763d8e3fcab6055873556fa4f7b9437f99cd594400839c077c5
72d3358ea74f770930e44d382a00387f1451399ef01a513d11ef80ba2f9da653
f2675f59a65add81d32683e6ec1a2aec2c37547df4ef331c21b5f498ccee7897
e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
2e0e7afdab8ca0ee49b2e3df7d9c8c3ff3f38d615fa114bd9dd06b8705842d5b
3240d336a0955bb3bcaac9f177a7dfa3c6a06e302c37fcc1c83d26ed8c283160
e0e53651961939af9ea23e40529bec8418f5915d4a7faa23184adc4febb81b92
580d408a0d3f6bca3bf2ee5ed847e4eefb32eedf4941870109b78674d60da7e0
SH256 hash:
a4ea280f8614b914a14799ef2c29779bc5b6152b0ef9d4f721385648da0db212
MD5 hash:
f636f2454dbdadec5a1936a8455db489
SHA1 hash:
657d86842a83eac4829596129fab2ae5862f487d
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/6d83e7c2-7e27-4238-8213-34205b73e199/
Parent samples :
b7f92bbf59df7cfb571012b7aefa91bdc9f25b9cbced01e91dec5b0fc1380f7e
ae7c268e9b988e9fa86380095f0a5cbb7d04024505c01dab09feed5ab8551b8d
338bd51d53c8c482447321ad6d1ec585faedfc3b9d5429f3b33bd805eadbaf92
0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6
fda83ecb5bd6a07dedaf6be0fce7c626e21e9df94d82ddb905460e9d6a25a162
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
9952c53705dfc353eeaf4262192cc740a066cb2e401ae3ec9e2ba11706f429e2
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
be5f3e984fc55b64b4aafb52c1390a52ab94c92a345ba3008df931d2eb5452b5
c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
a674d532150b92874dc954bb8349b6e66a006f1f7dd9381f751237cc98d38dc2
30f53c188f4ca288bab139778eb5426ee3db92ddc779c8df149b501334dd8dbb
59cbe4e681c4371b18a5f6d457369560ce9e4f0eda5a39de1acab8b5bdf73bda
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
af1c4d4509e271497c9eac4c96c1fc5c4e419c6d73b69a5141380589e479c16a
a621353d9ba0b680e8f65d1951b47a74a08c1dc903eb071a64680a7a46793197
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474
10fd2d2e6c357bcffff543914c648b64fc672861551b5b098ed84a6db04126a3
2d5f57ef41272fafdd56ac619de62e86bf57938c96032cfa90eaa3c48930f012
10559de6aa9d0859f9a8b46c69a4edb950297610a98121a1fb8a3c94de06ed05
43c802763ad10188bf10a16b5bbf7840447d46ec04d1bfc2ef60c58dab38d951
b1d51bc9c016f36486682366f537633a12b95e16e68d7fc184f7a9bf9a48a811
5a673c2139bee9e5deec79e98e0baf1026af44a5a02487d474de76d16b7eddc8
e5ee0f86a7365463f8a0bdd3591624c214c8db88abf861d06d1fbd342a6fbfd1
a641f727fa4566ec19a3a04edcbe7e177aad8fb5f2381907e6c38adfa01f8a7a
6d98593e2de051c5ab3d36ddf4107ab2a0680bdb6bc73bdf9a75c62bb05b124a
cd47f0c08702e38c1ec62ae345136fb824e0ae0db0a8294b97ca9a474edec2f9
a4ce664077c1707b407385c08eb0f4e9299229717ee02b1b1b2f9745ad82613b
819f0be98d577e7949915dfd234c0ac0e0d12088eacab58f83a4418ad3675b4e
0b22914998a25304fe8e6dc1db692f037aa9b2066b43a53f0b24da35e629e6b1
470b09e386f5cd8befb4796af1aec03895b755d4219d6b9fc14e41ae5a400e23
f0c545e288910de036c58dd733fb4202b7cb45daa4e5f0e72e418544c4b1528c
b6f18002487b80c6378f7021d10cf6a6ccad659bb9e4a2c4aa9d016c48b8bfbf
aedfae05284600f51e6fe18a6f47ac68c7971e365d827bed7bc2205f27063c8d
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
357b3313f39b40d4b9acc1181d3eca642418b945e0b35cc0f3c436b9598fd8a5
353630ee79a8d39505ae091c60cb8352182cccdb9b861d1cf6ff2e19f2cc5b1e
af1593748a93b90fe69835554739c92bc7147611b405e8e93bbbffd65ec0c958
ab713363a32fee4abae9d10b1c18fd58454529f80947c5dc221379545b1c86a4
7a560acc97e0be33258afce759c4c215a91103e7b7447e487d540eca65959f4e
7c9d0d539bd2ffef3dfee864f3f7078937f7c9fe392df2f9511ad2a21be9446e
6c863b2dd3f9e7a690f4ab3a1ec9c7da83d2f20e7b82d58dae4bfae34218a878
156ffbc1adf860198501bf76e6428debdfa847e13e73796ee9bad6e982bf94d4
b7ca5eee2c0af78525e33094a2c1d38f639824b8f051a50216dc47417f426bba
cb627325f51d6abcc61a922937e0d66beb75a7c52f28341178dcfbcb01794790
dfb8ecbf4f52efbf20605c2be946d62bb062edf1dce896a9b45516c7aa90e422
b1f950d68fb3e445f741d2bb7fefbcfe1b1a756548dcc6f88b173cae77495b57
5abfe96f31b8b8e4013501cbd3e7bb332e03b37e96f04cb75f05c04f15bb66ac
e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
b456078d0dff3c375378480fb133a340d88ae4b59d6598ead4249d66523f3428
0707da3b9e454ee6ed7fe3bbc1e61811fa9907263ed843c98ef408f5f741690c
c368072750d355e8b4139efdc6c9007ce31c2989067248ab9312a4d7479015ff
efb452117b9b073d0200fb4ab2407615a33e2149fdebfba2881e711d187ed514
57752262d1f2b530fa014b31fe3d836f47d0b8ebcc81e275a9bf173b42f808a3
f9c3b78cce61d4ef1c118287edc5d5d3324bd64df1d2c704c087e7b073d7eb33
0f99bf966f34d5152ee51fd8510a37b3fc0792334c9b8f2475e896bc2ec72a6e
2f835a2d633b2fb81fb9375cefc17313e59a283de5869b7d7f04b42e9134cf25
3a8d95ebd1a116107405f1cb2a7d42e954643a9a0244ceef22a70b656b8525a3
6fa16359905843e294d5f805986bda12aa603775ea7db1eaf10beff3493c3b93
bf166be918695404ec2724b62671d7eac13fd67e39433894439d70a2ce534861
99d1f6ce99a8c07c33ee2dafe789299e0a51c2860882a2548c6e612606b1c1c1
ddb4d0771b710a59722707002a175602f29c6d1aeab70c61e0e9dc3eeeade55e
ed27568e72ac6bf7edfb74b5a35ea694d11ca0859753ec5816bf0d84c5803958
54368441d4ed3cdc5b14f8de606c9c0ef111838b10072a6ac68cd58d8b47bedf
c9a5fff84aef8b46605c9414b3d20e1f190e902454757c1f89179c5436422109
44ae98fe4b0b4bd2000ed7ec88e9b7458e04c1abbe64102142c1686ac4ac494b
80e7e263927b11a7f93f188d4e1e4ee34a4751187672e5298c03e6ceaf43d104
dad46ac711be7ee69322bea3f3069bcd644ba55cbbe635a232b1e76fdb08da23
73d81ccb9a09fc6ce1789df05b4fec440ba9aa3c0998da3a843e577a111def96
7b75b7d9e892e63a9fd39ccb87222d7311b6a3e9cba68cd34dc650e15e295796
3249cbb032d6aaf66c01aaddc48eab91417b1f22b97ddb659f2f5a5a5683bfb3
SH256 hash:
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
MD5 hash:
880ece5ad6373043b4dbdd2a001209ce
SHA1 hash:
f2c932de238331f07a9f98cf5396c132a68ce511
Link:
https://www.unpac.me/results/6d83e7c2-7e27-4238-8213-34205b73e199/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/123afb912a46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments