MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48ba15159b820bdaab3c320377fcc4e5210db06be1bb0e025b81e01adbe5e962. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	48ba15159b820bdaab3c320377fcc4e5210db06be1bb0e025b81e01adbe5e962
SHA3-384 hash:	ead4ecac67860833c71d49bb6bcd9bd188e23b7b34f648e9be0374909dbf31b110312ea36eedebd03059a4a5abdae6d4
SHA1 hash:	a0152d89cca84c28eae4b6343b0550d3da76d5c9
MD5 hash:	e553a44842053dc2a96333f5451244e2
humanhash:	edward-aspen-october-muppet
File name:	invoice.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	924'160 bytes
First seen:	2023-03-08 20:41:45 UTC
Last seen:	2023-03-09 06:20:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:3e3yglF1adHqAqWnBc6//zScEgLeaUISS8AzMzxYxDxmR5Y0j4dXY/RIppoeynF:3e3vuHql6/2cXLCSrMSACe
Threatray	1'431 similar samples on MalwareBazaar
TLSH	T18815BD57F245A82EE8BEE730DD86BD54E831B0727212751B71DBC08887ADAF29B041D7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	84d4d4d4d4d4d482 (5 x AgentTesla, 2 x SnakeKeylogger, 1 x NanoCore)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

invoice.exe

Verdict:

Malicious activity

Analysis date:

2023-03-08 20:43:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/06bb30d8-dc4a-46b3-bfa0-525a46e42fe0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372699/

Detection(s):

SecuriteInfo.com.Trojan.KeyloggerNET.52.30402.16314.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6408f31c8b48bcea611f4739/reports/864c028c-05e4-408e-aad1-fc51e6aed9a5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/48ba15159b820bdaab3c320377fcc4e5210db06be1bb0e025b81e01adbe5e962

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f54c6eef-2e0f-49c3-bbe8-9059ddd13327

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189789

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48ba15159b820bdaab3c320377fcc4e5210db06be1bb0e025b81e01adbe5e962/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-03-08 19:04:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jc5bkfm3qif5vkz4gibxp7ge4uqq3mdl4g5q4as3qhqbvw7f5fra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3f62671f8ab8df6e9357899dbcde6858148e313ad4f8553efe2c1919722a9a79

AgentTesla

4bc2eb04a6c26b53567b75b2b1a7269ba31b13d69234dbd16d029f6265656061

AgentTesla

6ae9e95178fbe3f0b8d2495b927ebbba4edf143d9d703170d6a309bce7e8aad8

AgentTesla

918057f4d236bf49e9efaceb3c4aaab580baf9960ac45d2fe8d97c5d98111f73

AgentTesla

9975c3c2c7bb393e635997f7e9060557ddc22931a8d700e558b7bb2c8d6ff892

AgentTesla

a1e2e07c9b335493af4c7eb345f5e478d758efadb8ef2df597e08734c5ccffa1

AgentTesla

bc8adaeabfbb712f8af4274072205059dea9d81f0e09016531d43ebcb52c5db7

AgentTesla

+ 1'421 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230308-zg1hgsfh4t/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

9cf023586657fed8d8094e73ece01ded27c5d474f4a5d01b449eb1bedfd5de4e

MD5 hash:

c9eb8306ac7d08f6c1fe2830f83c0e16

SHA1 hash:

f4ab9f39d7cb928f8713deef24ad9a10403f896e

Link:

https://www.unpac.me/results/46caf831-273a-4fd2-aa5a-af23a6e94f42/

SH256 hash:

8adf9db7b87c56416c25785fae80e3905c7903d8076778a16cc3952782cc375d

MD5 hash:

0aae6eaef00ff22fdf33278287324732

SHA1 hash:

815b83c06d5b3930ec0910672648ea4976b9e9a4

Link:

https://www.unpac.me/results/46caf831-273a-4fd2-aa5a-af23a6e94f42/

SH256 hash:

dd49948e0b3393a8b53084075ec2f2a8c36813d1ba1ca538697eb62ec4b4deae

MD5 hash:

538dab51e58b7dd3809664982f4d0746

SHA1 hash:

4e7f9615f1d96b087c453a72217662f867e0520d

Link:

https://www.unpac.me/results/46caf831-273a-4fd2-aa5a-af23a6e94f42/

SH256 hash:

9268c168ee3fc99fead73cf0434ed22aee9ffa184143546cbbc500d67900965b

MD5 hash:

7f3b96fe08c9a79896b9618f38ad99e7

SHA1 hash:

2a1b7a6ab625a6feefd0616091b3651de0086956

Link:

https://www.unpac.me/results/46caf831-273a-4fd2-aa5a-af23a6e94f42/

SH256 hash:

e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29

MD5 hash:

d170ab8c03b9c37d5be449454db131d2

SHA1 hash:

2031b6754a65d21b47dd11a34fee86f048d6048d

Link:

https://www.unpac.me/results/46caf831-273a-4fd2-aa5a-af23a6e94f42/

SH256 hash:

48ba15159b820bdaab3c320377fcc4e5210db06be1bb0e025b81e01adbe5e962

MD5 hash:

e553a44842053dc2a96333f5451244e2

SHA1 hash:

a0152d89cca84c28eae4b6343b0550d3da76d5c9

Link:

https://www.unpac.me/results/46caf831-273a-4fd2-aa5a-af23a6e94f42/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/48ba15159b82/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/48ba15159b820bdaab3c320377fcc4e5210db06be1bb0e025b81e01adbe5e962

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.