MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 530ab67b002bb21072fe39ca2ec9f31499e77b3d021d26c016641cf2d096dc63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 530ab67b002bb21072fe39ca2ec9f31499e77b3d021d26c016641cf2d096dc63
SHA3-384 hash: 6e59d979c30eb071833549ce7703d70f5a0d47cf979a923dfc0471f4b67ba07ee6449620b07ed9ddcb8ca33a0d9b34b8
SHA1 hash: 85717130185018037548ab68907ba7ca1ae0ce7e
MD5 hash: f2692a741feac06eb6da22ead92f99f1
humanhash: butter-magazine-september-ink
File name:Proforma Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:847'360 bytes
First seen:2021-04-26 08:22:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:A7gKrqqIyk3vkCc5E5mWUE9octGcrOv2CRVlkieoLU2OUvLwiiluWD0NHbhhae9s:amy2kCc+m/jaZqvxlTLTOiLEuWQ9hav
Threatray 4'198 similar samples on MalwareBazaar
TLSH 6405023B03094FB7D3FD90FD418512111AF0C3AAA2A3EB4B7EF861E991C1745672972A
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 08:27:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15d5bb99-ac6e-4f5e-a1de-90948c8653ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144260/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697605
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397718 Sample: Proforma Invoice.exe Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 11 other signatures 2->35 7 Proforma Invoice.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...\AtRofvBGkgN.exe, PE32 7->21 dropped 23 C:\Users\...\AtRofvBGkgN.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp5631.tmp, XML 7->25 dropped 27 C:\Users\user\...\Proforma Invoice.exe.log, ASCII 7->27 dropped 37 Injects a PE file into a foreign processes 7->37 11 Proforma Invoice.exe 2 7->11         started        13 schtasks.exe 1 7->13         started        15 svchost.exe 7->15         started        signatures5 process6 process7 17 dw20.exe 22 6 11->17         started        19 conhost.exe 13->19         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/530ab67b002bb21072fe39ca2ec9f31499e77b3d021d26c016641cf2d096dc63/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 08:23:11 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmflm6yafozba4x6hhfc5sptcsm6o6z5aiosnqawmqopfuew3rrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d77a7855565f1f714311f0b3fddfa7a924e833f4723bdb0cb6a7d28e910844a
AgentTesla
19006e1934a36332207bb746cdfad53e5264682ed947d4f6c99debecefe12f99
AgentTesla
1f88ff46898b41059e556d7341a3c13f0fd6351e96b18f88b3377c613d6104fa
AgentTesla
270ed43b800d14fcbffb187100db9c13e6ef7ee216def9e598c46e45a8d5d719
AgentTesla
440584979145865d0d4ed8eccb48f90699a2b0c6c6eef0c2162db0d42b1c0fdc
AgentTesla
46096a5640a91cddbb2ea4d49d24f6df8e2d079f68a2559849ee9ff3a50281c3
AgentTesla
80a0dd46a1ad1560f80aae2ddaba46bcfc26a851d20230155d85be61704d744e
AgentTesla
982080ba51f02ae0250f16015d154d89f96b171ff9d7c541d9f68785ecbe0b77
AgentTesla
a4099c148fa4db51800cd9fd2b201052539cf0cf4e37232288528b3abe531630
AgentTesla
ccf7cbe501b4e91d8f020fb061bbb24167316704bb9566aed6a6a5bc36df3d73
AgentTesla
+ 4'188 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210426-xz5hz3nxh6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/86472004-882c-400a-8410-70859e20df6d/
SH256 hash:
530ab67b002bb21072fe39ca2ec9f31499e77b3d021d26c016641cf2d096dc63
MD5 hash:
f2692a741feac06eb6da22ead92f99f1
SHA1 hash:
85717130185018037548ab68907ba7ca1ae0ce7e
Link:
https://www.unpac.me/results/86472004-882c-400a-8410-70859e20df6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/530ab67b002bb21072fe39ca2ec9f31499e77b3d021d26c016641cf2d096dc63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144260/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-26 09:02:28 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection