MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bfbb76b330000d77b2265ccec0624c973c8e368838798d4e7a20fd1d4ec3cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bfbb76b330000d77b2265ccec0624c973c8e368838798d4e7a20fd1d4ec3cb1
SHA3-384 hash: 4e0e425c2dbbaae59265961244582115d93776b3c836bfe2a8112587a156332aafed95f72622f8f74da37b21beac7f93
SHA1 hash: 7f963cac64d1960a6cd0e52fc984cf90f9075f99
MD5 hash: 417cc456b8090fc7a9f9fceaad72e26c
humanhash: table-winter-leopard-cup
File name:payment Advice.pdf.r11.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:664'064 bytes
First seen:2023-06-22 08:43:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:0ODwj8d7F7dAIQEsOBcYZV13HU6M7EutXEHx2UjaQ9byx:nwSxBATEC7EuKHxSQ9byx
Threatray 492 similar samples on MalwareBazaar
TLSH T187E4E0AEFB45BE66C91D8E378013210843F884A39273F65F1CDC1DF1596268D8E8F59A
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter TeamDreier
Tags:AgentTesla cynthiak123-yandex-com exe rampelloelectricidad-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment Advice.pdf.r11.exe
Verdict:
Malicious activity
Analysis date:
2023-06-22 08:45:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf6803b8-3aca-4e38-bd97-1f1cb3ec1c2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401639/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67671980.20015.13838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed
Link:
https://www.filescan.io/uploads/649409d78d2002f9452b2804/reports/e0b0d35a-cc1c-444e-808e-5ebba70433fa/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1bfbb76b330000d77b2265ccec0624c973c8e368838798d4e7a20fd1d4ec3cb1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15181465-64c3-499d-8bcb-71748227e0e0
Result
Threat name:
AgentTesla, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259563
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1bfbb76b330000d77b2265ccec0624c973c8e368838798d4e7a20fd1d4ec3cb1/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 12:47:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dp53o2ztaaano6zcmxgoybrezfz4ry3iqodzrvhhuih5dvhmhsyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00f76cee98dffd241b1d768c5fe87a6fa46f0822592a298e808ca0a4d976181d
AgentTesla
062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684
AgentTesla
1a6889803b766ce102a10973126f946e3618a0f80c1cee6d902304d2ffae06c5
AgentTesla
511bd4f1051444242dda8ae6df80720106a6b4d60eab89658baffb142affe730
AgentTesla
7bf161d2aba8c0ddcd67192f4c8d851bdc99acbcabf12fe75b5d68c7414ce0ba
AgentTesla
9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51
AgentTesla
a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e
AgentTesla
cec5cc9dfa8e64cd0bacc6aa6f7767729dec65d6a8d53184b887dc89a6a76884
AgentTesla
cf754ba143aca919dc53b8869d18ceb489014003092559062018193d6e0928bb
AgentTesla
+ 482 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230622-km5xtseg3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/56eca076-3bc0-4f15-883f-3f1955a2f8d8/
SH256 hash:
5953a1034b801321eb780abec83eda9c1e8d1e9781670bce01be6daece47fbdc
MD5 hash:
31d1f8cc35023956de8d5a94f6df86c4
SHA1 hash:
d5678a81b26e863fae5c6f1565b2e3aeffd02817
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/56eca076-3bc0-4f15-883f-3f1955a2f8d8/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/56eca076-3bc0-4f15-883f-3f1955a2f8d8/
SH256 hash:
7ff26e47498a1ec7c5b494b25d0481b477cb49329ea6a5fa819fa5505959959c
MD5 hash:
d25d1d7474f0d42fb166345b7490df28
SHA1 hash:
9a7a2684827ee503ec1f72d2322608b70f056957
Link:
https://www.unpac.me/results/56eca076-3bc0-4f15-883f-3f1955a2f8d8/
SH256 hash:
1bfbb76b330000d77b2265ccec0624c973c8e368838798d4e7a20fd1d4ec3cb1
MD5 hash:
417cc456b8090fc7a9f9fceaad72e26c
SHA1 hash:
7f963cac64d1960a6cd0e52fc984cf90f9075f99
Link:
https://www.unpac.me/results/56eca076-3bc0-4f15-883f-3f1955a2f8d8/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1bfbb76b3300/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bfbb76b330000d77b2265ccec0624c973c8e368838798d4e7a20fd1d4ec3cb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1bfbb76b330000d77b2265ccec0624c973c8e368838798d4e7a20fd1d4ec3cb1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/401639/

Comments