MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2360d00fabefc2e52aedea07c1298902b757c48d62e4a6177408fb17c806ce93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2360d00fabefc2e52aedea07c1298902b757c48d62e4a6177408fb17c806ce93
SHA3-384 hash: 635191460bce8b66b84f8a556564e5656787aa90c464b5d2c5938e9b4d685e8b22b6630aed942ab9a985b8361025646c
SHA1 hash: 168bab8e5cd9aa4fac609c6761bbfa301e8a5717
MD5 hash: adc072c32df99207f9481635aefadba8
humanhash: zulu-floor-north-alaska
File name:Proforma Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'489'408 bytes
First seen:2021-01-20 14:37:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:vnbKjgfQNd3YPkcyX0kvFl3sGBflmJWSfn1KqeyWn5:GjGQNuPkRX0kvFDflmIsWn5
Threatray 2'223 similar samples on MalwareBazaar
TLSH 8165D69C751C72DEC8D7D4628AAB1C64EA532CBA431B410390273DB9BA7C897CF547B2
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 14:39:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6fc6d356-6d5f-4d3c-bd93-5c7980bc51f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114555/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/586350
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2360d00fabefc2e52aedea07c1298902b757c48d62e4a6177408fb17c806ce93/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 14:32:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 44 (43.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=enqnad5l57bokkxn5id4ckmjak3vprenmlskmf3ubd5rpsagz2jq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01d7b1149b565f6728fb3f3caeb30f988a6687cef75dd99f9d3850a9ec91af6f
AgentTesla
07b7896911fbed2570ef9716256497017a3d2e57b4f992afc3c42aede186284d
AgentTesla
1512482cfa6c5af70bff601644b1662f03826fc14f0876047a12deabd03932ac
AgentTesla
2533bccd55634d0883662979a1ffef4f7d990f7153c28096befa93aee34beded
AgentTesla
2eb29031ba92b4f721999dcb57f22885749ae09dcb89bf867c63ac5348c3bead
AgentTesla
47ed9a694769d7cb9419f9a7250c67d109567589767862e20669be81536c60ea
AgentTesla
5d68a64c24b58d998d34d9a789d34bffd195c853556c2995b3e3ac87b22a4f75
AgentTesla
c3e25836dbdb6fc57f756a3ac537338e4806d45a602c4705c0a4ee32861aba0c
AgentTesla
da434e7b01c61143d440d75ccd8ad7136f030a43d9cdeaad377c443875a31744
AgentTesla
ded91378a317de086a8a747ba894bc874e3accef878732947637cf41381268f0
AgentTesla
+ 2'213 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210120-9fm74gj6vx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e754a8fa9a6d6685b1a3a9cf843cdbfa7ac0a25ffda51878f200d9b8cf385d3e
MD5 hash:
df5648a6987df7966da1cda971bb9c9a
SHA1 hash:
d4447140390b8aca77d4a0b200e45608aee8318c
Link:
https://www.unpac.me/results/fbf3139d-0c5e-4fac-a37a-25bdadc10e5b/
SH256 hash:
18f10935cbddf38325edab2a852de76e254e7ca48e96946e0a29626602b296fb
MD5 hash:
440ebf5297a9b942d83cb76d0bbf0d82
SHA1 hash:
86eea537361031fe7121171dc997ee14540e51c8
Link:
https://www.unpac.me/results/fbf3139d-0c5e-4fac-a37a-25bdadc10e5b/
SH256 hash:
3f02dfd0b0cd9600617166c46a3eb09b07837b6e718a02677ea03cf2e909e1a4
MD5 hash:
2057e405d27ad310375457e7a9354b42
SHA1 hash:
34463f0ded3acac785af00ae9d61227cb4d0be5c
Link:
https://www.unpac.me/results/fbf3139d-0c5e-4fac-a37a-25bdadc10e5b/
SH256 hash:
2360d00fabefc2e52aedea07c1298902b757c48d62e4a6177408fb17c806ce93
MD5 hash:
adc072c32df99207f9481635aefadba8
SHA1 hash:
168bab8e5cd9aa4fac609c6761bbfa301e8a5717
Link:
https://www.unpac.me/results/fbf3139d-0c5e-4fac-a37a-25bdadc10e5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/2360d00fabefc2e52aedea07c1298902b757c48d62e4a6177408fb17c806ce93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114555/

Comments