MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a
SHA3-384 hash:	c72c3df43f8c89decf0bf28cd6cb370ea00c03cceec83b47c664fa6c77fd4b20ce672af0fb90bbd3019a003f25400fc8
SHA1 hash:	99accc50514d38dfd74883b10789a471f4cc2bca
MD5 hash:	eac45e7940e2536662d67f5c2bb888f8
humanhash:	sierra-yankee-friend-alaska
File name:	Revised Proforma Invoice WSI116850PF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	905'216 bytes
First seen:	2023-06-09 12:55:22 UTC
Last seen:	2023-06-09 13:57:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:EW0lwFqIwr+i3Tp3OQwN5V2cKxZMXdKkDkB0c:RZFwTp3duL2xxGKoy0c
Threatray	3'523 similar samples on MalwareBazaar
TLSH	T11C1583BC9D07E6EBCE39E25A95F02307B3714417B65EB88C6ADA3B450D93DC122D064E
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Revised Proforma Invoice WSI116850PF.exe

Verdict:

Malicious activity

Analysis date:

2023-06-09 12:56:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/99157bdf-2b9a-4a77-a984-ed0ec6aeaf1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XorStringsNET

Link:

https://www.capesandbox.com/analysis/397395/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67432657.7592.31012.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/648321647a6073fd1d388d39/reports/7b761596-4bac-4b42-8712-bbc9cb8220c5/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f89ff071-4820-4703-8e1a-e6d3c0721ad3

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1251940

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-08 15:46:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hypwepylfqnylpf4uollx23z4bw3hejyuacmcqqbqj7ndkgkg55a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3c15327363831cc1f832ff3fc3156339c546dc72ace1342502b5826416adcd28

AgentTesla

3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a

AgentTesla

74d26f4b119393b4528ff36ae1ed9ddf2fd9b6e36f3dbd9c7456ad692687905c

AgentTesla

84c7973871a6a639c40534f9e3fd7135bd35cd1b0eee937cc849af90c903c4c2

AgentTesla

92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

AgentTesla

c45219a3fd0cf51360c30b7aa0cba985ad1d28030785ab9dc5083090540409d8

AgentTesla

fb037edda6db14f4cc45540ee0719c8ca02cbc7636f48c14b6dca3bd187f3e44

AgentTesla

fbc745c53390b016e0f8520fa691f4341559b57467515ea230ef7127232bce87

AgentTesla

+ 3'513 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230609-p6b63sda21/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/d6529ac5-3b54-4a6f-9b8c-e66ce4e9eb43/

SH256 hash:

f5f0576064260ca8994961e9bac29e51ad52cc7473d52f1379d5c533a40beae3

MD5 hash:

b2ed9276e6686711ed5ec6a3a1342147

SHA1 hash:

533064433d0a15f8a28f79bbe8b8ea5b5ad37ffd

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/d6529ac5-3b54-4a6f-9b8c-e66ce4e9eb43/

Parent samples :

cb3964a3b6a2ee8bd2bdbc3a3b65306546cecec2deb444968ee8f33ce2c1a593
2be71dbd5717aadd41efe306affff9fb63675adb1dd4f1a5a7b5d123c4ba508b
c45219a3fd0cf51360c30b7aa0cba985ad1d28030785ab9dc5083090540409d8
3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a
a9adeec302ab071989a321a13b0c9b1f12e4c0fd69f3dab0a99e46d165a40cd3
2406e6d5ca634a5b588ee4bd967cc1ac4ace9e24ac4761471c992f4a1450469f
7cae209399f08c5a85de444babd258aadb253b625356dcd47e4ccf4fca8a013e
db4298e6b1ab62b76c39dbedd3bedcef513acf96a75cc97eabf9f82741027ea5

SH256 hash:

08ef701541e007b723bebd0df529912c579d34ef277c23e3a53c308d855f9710

MD5 hash:

d1337b11c79020681fe5945b38dfd279

SHA1 hash:

1be8aa0f56b5f93b8050b6cb2518908be73822ce

Link:

https://www.unpac.me/results/d6529ac5-3b54-4a6f-9b8c-e66ce4e9eb43/

SH256 hash:

3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a

MD5 hash:

eac45e7940e2536662d67f5c2bb888f8

SHA1 hash:

99accc50514d38dfd74883b10789a471f4cc2bca

Link:

https://www.unpac.me/results/d6529ac5-3b54-4a6f-9b8c-e66ce4e9eb43/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.