MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29fbf1d4da3f7b2aa2c388ba6af3e3e48f437c8a7acec3cc9911f591e52cb0b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29fbf1d4da3f7b2aa2c388ba6af3e3e48f437c8a7acec3cc9911f591e52cb0b4
SHA3-384 hash: 512b8721a1c79512e1d851331cbc921551fcfdf097055dc5f813b4b3560a928ed7b6091330876b9c49390b4936ddbccb
SHA1 hash: 7d3e337bc03fe5ccb2ff4ccfabc326f4759591e9
MD5 hash: b09305b96f3400c9af220c42d310ace8
humanhash: fifteen-sodium-maine-carolina
File name:Debit Notes & Credit Notes.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:612'864 bytes
First seen:2021-07-13 18:09:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:62YgLYSI22YzQCRH7rNGFztmPsyp+Ek7Xt2heG7JF+Yf:3Yg8U7zQCRH/NixhyochB7SY
Threatray 3 similar samples on MalwareBazaar
TLSH T19BD4121929EE2154D1F2AFFA95D47895D92EB2B17A13D80F2099034E493BF01CCE2F76
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Debit Notes & Credit Notes.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-13 18:12:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cc4160b3-825d-4e2e-bc29-61a3e41b4d36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171487/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.900-1.UNOFFICIAL
Create hunting rule

Win.Packed.Generickdz-9877891-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17d8dad1-b88a-4d35-be42-32eaf5c1a856
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/815804
Signature
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448215 Sample: Debit Notes & Credit Notes.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 92 12 Found malware configuration 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected AgentTesla 2->16 18 5 other signatures 2->18 6 Debit Notes & Credit Notes.exe 2 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started        10 WerFault.exe 6->10         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29fbf1d4da3f7b2aa2c388ba6af3e3e48f437c8a7acec3cc9911f591e52cb0b4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 13:35:50 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fh57dvg2h55sviwdrc5gv47d4shug7ekplhmhtezch2zdzjmwc2a._file
Verdict:
unknown
Similar samples:
228638e7a1c7f902617aa1b7f1347b339d4ef673fb25885650e278b49b7f9d2d
AgentTesla
2d564f88c4c69a2f65bc98083b9a289236db433e6d4b2a649b22f2e2a8ed6d73
AgentTesla
c5b56bcdb7672777ac9f2ed52d73eb7645310d54d93582f48296277efa006561
AgentTesla
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210713-f2r6mbkwyj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
32535980ab69e4c630d764c0995dd03a45a243d721cf12a6b78c5e50acec8ef2
MD5 hash:
06a693cd923ad8d9ddaa3aef94d896c5
SHA1 hash:
454982dc3283622b10a5589530a34ec1b1c2bad4
Link:
https://www.unpac.me/results/8b69cb36-27d1-48cc-b0b5-e57bd444ce80/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/8b69cb36-27d1-48cc-b0b5-e57bd444ce80/
SH256 hash:
a2beb8053ebfe20b41c0b7d276fee4f6bfcd7fbe87e9e162bd629db33758c910
MD5 hash:
a526c0bff1ac5f66322cff97f90e9363
SHA1 hash:
a53985390d2c702252d81ceba2a04d9063e8ee07
Link:
https://www.unpac.me/results/8b69cb36-27d1-48cc-b0b5-e57bd444ce80/
SH256 hash:
29fbf1d4da3f7b2aa2c388ba6af3e3e48f437c8a7acec3cc9911f591e52cb0b4
MD5 hash:
b09305b96f3400c9af220c42d310ace8
SHA1 hash:
7d3e337bc03fe5ccb2ff4ccfabc326f4759591e9
Link:
https://www.unpac.me/results/8b69cb36-27d1-48cc-b0b5-e57bd444ce80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/29fbf1d4da3f7b2aa2c388ba6af3e3e48f437c8a7acec3cc9911f591e52cb0b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171487/

Comments