MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4473743edafc55a38745f2c4b897239c1d6b23c2c7e8c4423fac27632aaa96ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4473743edafc55a38745f2c4b897239c1d6b23c2c7e8c4423fac27632aaa96ec
SHA3-384 hash: 3f129f1b5d43be2b8478df9402654ab1e6af03356770d24f3630fdd12c44ed1ba0e0c14d34621a7b9907a89fd5dc2e25
SHA1 hash: 1473c2bc7f7df36e1108532ceaf6f2e1b0be67ad
MD5 hash: f66385ba3ee1c85c27ba8522093f65e3
humanhash: pasta-indigo-emma-crazy
File name:overdue invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:732'160 bytes
First seen:2021-08-04 13:01:12 UTC
Last seen:2021-08-07 04:45:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:6xTmidhfPQDHyPLJtABNbKe52AZZ3WeICTSsh2KwYigQqk:6xCUhXQzyD87b52AirCTL2Kw7gzk
Threatray 7'799 similar samples on MalwareBazaar
TLSH T1E1F4CE2B46508663F87CD27D2A658617F729DFE7F0ECD88AEDC73081CA71A13209546E
dhash icon 0cfcc286e6e26e8c (1 x AgentTesla)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
overdue invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 13:03:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ae4d477-0ee8-4ccf-a0ff-a88a4c6372f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176333/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15066.9413.1873.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8681888b-3666-436f-bbfe-a63b647d10eb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826853
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4473743edafc55a38745f2c4b897239c1d6b23c2c7e8c4423fac27632aaa96ec/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 11:11:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
17 of 28 (60.71%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=irzxipw27rk2hb2f6lclrfzdtqowwi6cy7umiqr7vqtwgkvks3wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
AgentTesla
3fd2c91007c4b1429d70710853232018e8da2528d375af5d64b79901254e52f0
AgentTesla
5adfe20af9815856290bc19eca320691651557be0b9c1323b921115d67d59b2b
AgentTesla
7320273731dbce41f47cc62a196383cbe81764c7285277c153498818d1135b8f
AgentTesla
7596db7593e9571f3cfdb3003fe0001054abddfb57dd8390bc05d458cbef0be3
AgentTesla
8c3b25751ab09b3f9a6b6f9ce8271c13b5963565c2099077cfc9d30d6ff6abe7
AgentTesla
9b8939c87ab0a26dd6fff617546b35ed335d544da08ed4c962f1d3b4ff1e6356
AgentTesla
ea1972a95f782366645f06db55e5f5084568d9f517d65e0a3233804100a5211f
AgentTesla
+ 7'789 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210804-s3aw7kyw1a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/c2dcb2a1-c4d9-4d6e-b0a1-6cae0aa7eb0a/
SH256 hash:
a69831a9e41756fcf05fe81aaf1b764061ce6643f84298972d843842bc7fb6c9
MD5 hash:
be0e73be696378ccf20209ec65d1de4f
SHA1 hash:
cbcf3696a25d99fc9469021645ecdacc7ee844e2
Link:
https://www.unpac.me/results/c2dcb2a1-c4d9-4d6e-b0a1-6cae0aa7eb0a/
SH256 hash:
5bd875a8c251ff895d29b7c58a5d40d0c72417f510f947f8ab8472eb53bc10e3
MD5 hash:
1b1d092442b7daec546f6b5c840cc8c4
SHA1 hash:
30872a5b2cca5bf52d413df7254919f1469240a9
Link:
https://www.unpac.me/results/c2dcb2a1-c4d9-4d6e-b0a1-6cae0aa7eb0a/
SH256 hash:
4473743edafc55a38745f2c4b897239c1d6b23c2c7e8c4423fac27632aaa96ec
MD5 hash:
f66385ba3ee1c85c27ba8522093f65e3
SHA1 hash:
1473c2bc7f7df36e1108532ceaf6f2e1b0be67ad
Link:
https://www.unpac.me/results/c2dcb2a1-c4d9-4d6e-b0a1-6cae0aa7eb0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4473743edafc55a38745f2c4b897239c1d6b23c2c7e8c4423fac27632aaa96ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/176333/

Comments