MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa
SHA3-384 hash: 08fb7edc9f82cb4ec5320bd4538c477d6f951ba566ad765db0388df9d5d77e4f440b20ad2fb635816969747a2ddebd60
SHA1 hash: ae73ce98fa5c9e4a4a7cb288d3f519c994cafa3e
MD5 hash: eefc84fdb2c352b19477bf8ba29b1bf7
humanhash: low-kentucky-robert-wolfram
File name:Invoice‮gpj.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:704'512 bytes
First seen:2023-10-17 20:19:43 UTC
Last seen:2023-10-17 20:36:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8cDpJR9oa1h6noEVv0xH56ULw2PaLxoiRxMfGGsjMR6lLYHHR/:fpjh4xs6MwGg/bbw2L
Threatray 470 similar samples on MalwareBazaar
TLSH T184E4136E3F897DA1D27C867604633568C6FC4197C303DB799994E2F5BE923880B3217A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b0454a4c4c4a45b0 (1 x AgentTesla)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice‮gpj.exe
Verdict:
Malicious activity
Analysis date:
2023-10-17 21:35:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a50c49dd-6c93-4637-9f2a-f1da1cf69f89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455462/
Detection(s):
Sanesecurity.Malware.24184.7zHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/652eec75cd0633254b83ac26/reports/c64efe92-2d97-461e-8707-36e5eff253c9/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7485182-7547-44e6-bf3c-f500843d15e1
Result
Threat name:
AgentTesla, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327553
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1327553 Sample: Invoicegpj.exe Startdate: 17/10/2023 Architecture: WINDOWS Score: 100 67 mail.royalcheckout.store 2->67 69 royalcheckout.store 2->69 71 2 other IPs or domains 2->71 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 12 other signatures 2->83 9 Invoicegpj.exe 3 2->9         started        12 note.exe 2 2->12         started        14 note.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->105 18 cmd.exe 3 9->18         started        22 cmd.exe 1 9->22         started        24 note.exe 9->24         started        107 Writes to foreign memory regions 12->107 109 Injects a PE file into a foreign processes 12->109 26 InstallUtil.exe 12->26         started        28 InstallUtil.exe 12->28         started        30 InstallUtil.exe 12->30         started        32 InstallUtil.exe 14->32         started        34 conhost.exe 16->34         started        36 conhost.exe 16->36         started        process6 file7 61 C:\Users\user\AppData\Roaming\...\note.exe, PE32 18->61 dropped 85 Uses ping.exe to sleep 18->85 38 note.exe 3 18->38         started        41 conhost.exe 18->41         started        43 PING.EXE 1 18->43         started        45 PING.EXE 1 18->45         started        87 Drops PE files to the startup folder 22->87 89 Uses ping.exe to check the status of other devices and networks 22->89 47 reg.exe 1 1 22->47         started        49 PING.EXE 1 22->49         started        52 conhost.exe 22->52         started        91 Writes to foreign memory regions 24->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->93 95 Injects a PE file into a foreign processes 24->95 54 InstallUtil.exe 24->54         started        signatures8 process9 dnsIp10 97 Writes to foreign memory regions 38->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->99 101 Injects a PE file into a foreign processes 38->101 56 InstallUtil.exe 16 4 38->56         started        103 Creates multiple autostart registry keys 47->103 65 127.0.0.1 unknown unknown 49->65 signatures11 process12 dnsIp13 73 api4.ipify.org 173.231.16.77, 443, 49752 WEBNXUS United States 56->73 75 royalcheckout.store 179.43.183.46, 49753, 587 PLI-ASCH Panama 56->75 63 C:\Users\user\AppData\Roaming\...\TbMBQ.exe, PE32 56->63 dropped 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 56->111 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 56->113 115 Tries to steal Mail credentials (via file / registry access) 56->115 117 3 other signatures 56->117 file14 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 17:03:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
17 of 37 (45.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=joyxals3r3f4jki53hi6257lxxyea23hcikdwo4gzedkk4e2ax5a._file
Verdict:
malicious
Similar samples:
1941fd80fd284baeb6d794cf73f6d0dd2a37fb419bd4739966dc6182842a3517
AgentTesla
39e68b3555c03c108a8dc3f9373a2031ba20ce5e0adc492ab3b2d2e5d3150d86
AgentTesla
4a793a9dfa5fac79c6e6b8f1d36e8719cc8f2849849259f364ee8e4af08d9613
AgentTesla
9713b05ec993df32ea7adfcc391bf45486b291ab7fcfb465b1b9c92eaa321826
AgentTesla
9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d
AgentTesla
ec88127f108bf2d3963c92a80950bc8d6d2cfef67c6acdec7793169b89000ad1
AgentTesla
f4615f0f60bdbabef82384ec728d4e402eca70ebc1a49b3b8bb7b155292e3fae
AgentTesla
+ 460 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231017-y4ezmagf2s/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
720eb7865aa32950f28737087178ab60b13de358aeb838ede500c50f7235cc69
MD5 hash:
59ff3aedb3f9df07f7ed61aeec39d6d7
SHA1 hash:
d3df5789a205f7849ae626045f6fdb5a7a80da7e
Link:
https://www.unpac.me/results/ff05ee79-b372-4415-8e94-4c047bad4a28/
SH256 hash:
39e68b3555c03c108a8dc3f9373a2031ba20ce5e0adc492ab3b2d2e5d3150d86
MD5 hash:
f0af137175487b4d1249921ce506efe9
SHA1 hash:
7e175b57710312c75d3580b058c1efd91dc55098
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/ff05ee79-b372-4415-8e94-4c047bad4a28/
Parent samples :
39e68b3555c03c108a8dc3f9373a2031ba20ce5e0adc492ab3b2d2e5d3150d86
4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa
SH256 hash:
4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa
MD5 hash:
eefc84fdb2c352b19477bf8ba29b1bf7
SHA1 hash:
ae73ce98fa5c9e4a4a7cb288d3f519c994cafa3e
Link:
https://www.unpac.me/results/ff05ee79-b372-4415-8e94-4c047bad4a28/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4bb1702e5b8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bb1702e5b8ecbc4a91dd9d1ed77ebbdf0406b6712143b3b86c906a5709a05fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/455462/

Comments