MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1
SHA3-384 hash:	175e7e05365863dd3a17672505c03531bbb9a8bf1152c240ac027e0afd7bc21bc6c9ba0e35e6441f22aa73360f2b1233
SHA1 hash:	5e03bebf7d22f69a164c1c3baa86f5500ed8f013
MD5 hash:	048c3672872750704dc94eb8f0552857
humanhash:	violet-uranus-rugby-diet
File name:	INVOICE AND PARKING LIST.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'171'456 bytes
First seen:	2023-06-30 13:25:44 UTC
Last seen:	2023-07-03 06:50:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:utkZ8AmDgQuk76kuFyVcNKj1go9VOLA8WrYJTv0xWWjcAWr1vcX2M+8RomcpCIiR:ufdBzuIcNKj1gCVh2Tvqjc
Threatray	238 similar samples on MalwareBazaar
TLSH	T1FF450858B22E388EC4578A3994946E2DDE4C2CE74216973350833CDEAF3D5479E1BCE6
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

INVOICE AND PARKING LIST.exe

Verdict:

Malicious activity

Analysis date:

2023-06-30 13:29:00 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/5f47783a-2d1a-4a37-97e0-55b4e9c79b98

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/404128/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.31098.1821.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/649ed7ec3d1253262b2cf718/reports/01911da1-e797-4427-ab86-06b77f965ac0/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9157f250-d62c-4f57-8a47-2f4a732c6d08

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1263913

Signature

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-06-30 10:03:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dnozly2q52w4zc76t43oxbwatf6lhmgf6lhm55kexbhpxcv5vtqq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4ed2a8e2291ca6f9684acf27a278a2667b703af3c4c67f9bc92eeddb6dede245

AgentTesla

903ea42c02e8a30f6ad63666de0748b4fd4c2758c220b39af57269d1eebebb9d

AgentTesla

9b5878a78bc3e0fc2bf39e470a02b77509ed5935ff1139270fb8c15158949849

AgentTesla

9e778ed10d6543b0b16f50bbb021181e2cd1d6e9ab230f28492eeb45838c3893

AgentTesla

b5ed2d16101b333863529e10f2413b70ea33ffdafb65ec74ea849f9d425fdf91

AgentTesla

b8affa2c64dd1a3661fd9ea46581ea09b733871562c2d080f2c81923e7275961

AgentTesla

c906a3041425da5b92aca8c125d3d9295839b5edd1bb17b22fdd80f1f18a1293

AgentTesla

de955fab450ed36ebd64571db676d4f9330458fadb058f22f57c0a4683d4fc96

AgentTesla

+ 228 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230630-qphszaea41/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

AgentTesla

Unpacked files

SH256 hash:

686cf9d8821f34c46528a5683bfbb7f09b96257cf59f36b14bcbee12d5c7152d

MD5 hash:

91cdf1744712d4839c1837d00182a8ff

SHA1 hash:

e7e6952939e6f1d6159fe856dee7f57516ac9c8b

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

Parent samples :

bd474569f1f7ea440aed8f54a561f6f8a7467aadbc053cb8fc8191414b642b8d
1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1
b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786
5b55c1189d8a5080141c4fa441f8e88133a3786bb7000bec83648eaf2086ba54
32abb7f0c67327f53e15d72bdcfe4697cfd27da618a0d81a00a81491372a8392
b50c84cec54cb91b20d9dcef3df35a5936d5d81a029c49b737c85f12b5cd861d
a6ff3a070e5e8fcbf4d1da9ee062b9fd91e1773e17f27c86310b13747739fb2d
ad942fc486c91d8bd5c3d1ab5266d94582b10ea8ac3f284c6914d8c0e1542af8

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

e7c21c8ad091e2713f6fc4851a7fc0f9ff261887cb845dbca5a1faf95cce73f3

MD5 hash:

70ec831701dad8de46573de43708d318

SHA1 hash:

74d370705762d8bc19a88850c651598f3cc7ca54

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

686cf9d8821f34c46528a5683bfbb7f09b96257cf59f36b14bcbee12d5c7152d

MD5 hash:

91cdf1744712d4839c1837d00182a8ff

SHA1 hash:

e7e6952939e6f1d6159fe856dee7f57516ac9c8b

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

Parent samples :

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

e7c21c8ad091e2713f6fc4851a7fc0f9ff261887cb845dbca5a1faf95cce73f3

MD5 hash:

70ec831701dad8de46573de43708d318

SHA1 hash:

74d370705762d8bc19a88850c651598f3cc7ca54

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

686cf9d8821f34c46528a5683bfbb7f09b96257cf59f36b14bcbee12d5c7152d

MD5 hash:

91cdf1744712d4839c1837d00182a8ff

SHA1 hash:

e7e6952939e6f1d6159fe856dee7f57516ac9c8b

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

Parent samples :

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

e7c21c8ad091e2713f6fc4851a7fc0f9ff261887cb845dbca5a1faf95cce73f3

MD5 hash:

70ec831701dad8de46573de43708d318

SHA1 hash:

74d370705762d8bc19a88850c651598f3cc7ca54

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

686cf9d8821f34c46528a5683bfbb7f09b96257cf59f36b14bcbee12d5c7152d

MD5 hash:

91cdf1744712d4839c1837d00182a8ff

SHA1 hash:

e7e6952939e6f1d6159fe856dee7f57516ac9c8b

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

Parent samples :

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

e7c21c8ad091e2713f6fc4851a7fc0f9ff261887cb845dbca5a1faf95cce73f3

MD5 hash:

70ec831701dad8de46573de43708d318

SHA1 hash:

74d370705762d8bc19a88850c651598f3cc7ca54

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

SH256 hash:

1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1

MD5 hash:

048c3672872750704dc94eb8f0552857

SHA1 hash:

5e03bebf7d22f69a164c1c3baa86f5500ed8f013

Link:

https://www.unpac.me/results/b6ff2cba-25e1-4c1d-88f7-c3a6e0d61ff6/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1b5d95e350ee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.