MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056
SHA3-384 hash:	5b998a84f8d81df880ea250bf32a0a025c7ee41792ed2123a9d620bcda5b8e3d36efe4fc95006af6756d009685830d23
SHA1 hash:	913e2758bfb5eab1596efe219c7eadf580cda3d1
MD5 hash:	7fb0054fe8ab33a1ae308d8ff5de9acc
humanhash:	victor-jersey-october-snake
File name:	PROFOMA INVOICE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	503'808 bytes
First seen:	2022-11-22 07:40:46 UTC
Last seen:	2022-11-23 20:01:29 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:wM60vcA0Ksekd56UWZgaY+mHIJlPXFVWmrZJEvqMkYaGGjSfveO:L3bNFFICQaGquv
Threatray	633 similar samples on MalwareBazaar
TLSH	T198B4022DA1ADD891FD758973149B97E2EBAC5343C692F8F7808C4F15FA1CB8148C0B99
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	cocaman
Tags:	AgentTesla exe Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PROFOMA INVOICE.exe

Verdict:

No threats detected

Analysis date:

2022-11-22 07:42:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ff557828-8842-42db-bed8-01ac40f872bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337093/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1680.25528.10587.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Launching a process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637c7d102609334c72c1a5b9/reports/38562214-66aa-4fe6-85c1-ad451c1c0b67/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cdd40008-0f02-42a7-9d08-083ed35505f9

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1118708

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-22 00:30:56 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=obqs2qzs5sknqrb5635bzop2inic4vh4pjdk3zs4yuqfrkbe6bla._file

Verdict:

malicious

AgentTesla

019a02c78ac08e21fb8eb9b6bd4c120d56d24077ae385fa959efa70ed890309f

AgentTesla

70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056

AgentTesla

8d7cb307a44963f336066c72cc019b6e35e28a7f9dec66f9ac673ced4181913e

AgentTesla

a78731da2617fe258f08a30bb02775a66e2b8363e5b84f97aa61a0baf178a927

AgentTesla

af90b7982f9e83491575881365351306991619644e94fde6382d892f27a7fb1b

AgentTesla

b2280bc6cc58ae7bcbabc2ed5c5878d70ed463b46cab27da2103ac19ea5e52fb

AgentTesla

c09e4ce0e0baa34a9c9043f4116639a4e0513d953135b4408fc5a5f02a9d2b58

AgentTesla

d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1

AgentTesla

f568ee7f9b0e311bd10c08b8fc2f3ff69e603ff5a5e2c6af2d050b6de0ab1ba5

AgentTesla

+ 623 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221122-jh4crshf6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056

MD5 hash:

7fb0054fe8ab33a1ae308d8ff5de9acc

SHA1 hash:

913e2758bfb5eab1596efe219c7eadf580cda3d1

Link:

https://www.unpac.me/results/c966a1ca-0975-4151-ad20-a23b29c29c57/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/70612d4332ec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 92bc6cd828b4ee80c8827671621ba773fe143de23225a29075c64883d5e0b218

AgentTesla

exe 70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056

(this sample)

Delivery method

Other

Dropped by

SHA256 92bc6cd828b4ee80c8827671621ba773fe143de23225a29075c64883d5e0b218

Dropped by

SHA256 db249c52504ded3d38e809a0588479bfbd0a87a586dc0bfb2836b1b447a14535

Cape

https://www.capesandbox.com/analysis/337093/

Dropped by

MD5 7aa849f515853824b13790341ed0e9e3

Dropped by

MD5 c4d1ed0b65ed485614f5c6158fbdfd9e

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample