MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48
SHA3-384 hash:	0a12dbdbf9529626a7558b6f3942834fc46ba5b1cf3ac168a4a740984e04f0b8d9a2627412d652e0eede4ac0fb2e5602
SHA1 hash:	63ff2e152923ab79dc87ede7807b4a5e1cc246bf
MD5 hash:	f8912d26918fc5e127e3acda50f39076
humanhash:	artist-golf-johnny-double
File name:	invocie.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	775'680 bytes
First seen:	2023-02-09 17:39:24 UTC
Last seen:	2023-02-10 08:02:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:BsyhVe5d6U6sRg9db30NOQA+/7lqMtEwcU3gZ+D3AksC/9eZiHU7pms9Peom1vht:Bs8LsRg9db30NOQA+/7lq6AAgZAAHjZ+
Threatray	20'568 similar samples on MalwareBazaar
TLSH	T10EF4E43939B627E2C138F66A46E78620BAFD52437313D859ECEE07F10F855412E8B91D
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

invocie.exe

Verdict:

Malicious activity

Analysis date:

2023-02-09 17:41:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6bce1c0c-9c2e-448e-9149-cc13b4d63f8d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/362932/

Detection(s):

Sanesecurity.Rogue.0hr.20230209-1733.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63e52ff4459bcf46040015cd/reports/ecdf7314-c66b-4e69-b635-a950220a2a8b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/06a9dd04-73e3-4386-ac39-9a1b401f8d1d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1170313

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2023-02-09 17:38:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gyidj4klry2rtnmo2ezioskschcth4wtsowm2tqzqzaku3ey7rea._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2

AgentTesla

20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d

AgentTesla

23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9

AgentTesla

4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203

AgentTesla

8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d

AgentTesla

d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

AgentTesla

e60df4c4e0c5fd9cb3bc3863d6ca5e668f44120187dd66fa0239c0741653e5e7

AgentTesla

f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6

AgentTesla

+ 20'558 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230209-v8vzvsea52/

Behaviour

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

8183b459a17c5add41c6ab394803a69ef3691de42ddf8c7dd40cf3c5434d6517

MD5 hash:

f5746d7b78ce3a24b03de7bfa9732466

SHA1 hash:

e36951c351fe84d7ec5a5af5ba2b2b7fd08286fb

Link:

https://www.unpac.me/results/1ec72691-e40e-4b09-893d-bfc27910e2ae/

SH256 hash:

452677f7538cdad7eae21f72f500cc0fa48d6fef66e22176612ea26ef4813cdd

MD5 hash:

8bcebae63e79b193a35982314d8c3dbb

SHA1 hash:

7a45432f9b4329dd82dd31389631eb9b907c8e31

Link:

https://www.unpac.me/results/1ec72691-e40e-4b09-893d-bfc27910e2ae/

SH256 hash:

94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129

MD5 hash:

874dcc6be499121b1425bfdff1f8ad46

SHA1 hash:

66f83bedc73876b77e152c604b8214bde86d965e

Link:

https://www.unpac.me/results/1ec72691-e40e-4b09-893d-bfc27910e2ae/

SH256 hash:

361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48

MD5 hash:

f8912d26918fc5e127e3acda50f39076

SHA1 hash:

63ff2e152923ab79dc87ede7807b4a5e1cc246bf

Link:

https://www.unpac.me/results/1ec72691-e40e-4b09-893d-bfc27910e2ae/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/361034f14b8e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.