MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395
SHA3-384 hash: a13a352d4ac4e6a8e6269c487d2d042d3609916bcaa32a88f63f76d80a15eeb4b9b191fda31826baafd577af17ec3cc6
SHA1 hash: dbdcbb4f6569a517bfc6bcfef584b356fb8a61e1
MD5 hash: 3e63523bd51914bb24470d038b0ba931
humanhash: lemon-summer-five-comet
File name:Shipment Import Invoice & Clearance Documents.xlsx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'984 bytes
First seen:2023-07-24 06:06:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:M2vJRBusymCtVhKg7lpgoFQe0YO/dZH2Tl+peGryawQ5kuKufj3dxR:/FuyCtVn7lp1FQlv2Tl+2Q6uKufzdx
Threatray 888 similar samples on MalwareBazaar
TLSH T1C9F4125533A95D03EBA8BDF8469492281372A5912827D3DCCDB360D81EA6BC0FF316D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d455a86d496832b0 (15 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Shipment Import Invoice & Clearance Documents.xlsx.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 06:21:54 UTC
Tags:
stealer agenttesla trojan
Link:
https://app.any.run/tasks/11f3156d-8e25-471e-9715-242af21d327b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430560/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.37323.14861.12089.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6450717-8893-4cf9-b473-01075d5832d9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278062
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278062 Sample: Shipment_Import_Invoice_&_C... Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 7 other signatures 2->51 7 Shipment_Import_Invoice_&_Clearance_Documents.xlsx.exe 7 2->7         started        11 aeCdkcnvlNexj.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\aeCdkcnvlNexj.exe, PE32 7->35 dropped 37 C:\...\aeCdkcnvlNexj.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\Temp\tmp433.tmp, XML 7->39 dropped 41 Shipment_Import_In...uments.xlsx.exe.log, ASCII 7->41 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 Shipment_Import_Invoice_&_Clearance_Documents.xlsx.exe 7 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 7 7->19         started        25 2 other processes 7->25 59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 63 Injects a PE file into a foreign processes 11->63 21 aeCdkcnvlNexj.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 43 webmail.gumustaslojistik.com 109.232.216.224, 49682, 49683, 587 AEROTEK-ASTR Turkey 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        65 Tries to steal Mail credentials (via file / registry access) 21->65 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 69 Installs a global keyboard hook 21->69 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 05:10:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3kvv3dmnttylbv47ivrvz7he7m4six7owr7flw4ps5jc73zgokq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
363b5b951382bb7c9af26fadf9a61541d5a2d4e733adcb40fbc87e18579fd69f
AgentTesla
3643035d381e44f0facf01f5463aa05fee4315b2c72fea1a96ef28d0185f7369
AgentTesla
7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
AgentTesla
81a48f67c7805ecf8ee47f17999208a9a116fca844d8dff8dbf12f66f4c91445
AgentTesla
88b562c7a56631c4d9221faa41b327b797546ca3be4577438357ac63eaaa316d
AgentTesla
99867d6b9ab9654b849966da0fb19d10c1cc63078538a850ee0def53b457e0e4
AgentTesla
a65903f3968b96768cd2ca31af342c23b7f8c8b0d928b6a7f9119c80f105b3ee
AgentTesla
ae2f668db376e89695e11dd9bed4d3becf18a74f812b6b647beaf39ab2aa3610
AgentTesla
af093bd71cb66c24a34d31d6efa125d86e6ffa89bfbfad9d20658889553e133d
AgentTesla
cc8a067e19c40815e99543a5728c7c12fc2f1a5c64f0a09bfa2504574fcd9a91
AgentTesla
+ 878 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230724-gvcz8sag7t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b0650593ee79c50810c861ce8380734ea9de3a1adf77e425cf86b8673ade7b72
MD5 hash:
d68f2f9257c91b202f5d393689199180
SHA1 hash:
c98b52638766aca0e2c82b2416d23f296370660e
Link:
https://www.unpac.me/results/3c6d6bd1-6016-471b-9a2f-36742ae833b3/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/3c6d6bd1-6016-471b-9a2f-36742ae833b3/
SH256 hash:
0714599f829ef8a48997828cf2f1652f7d5041e4754239a9f7af0e595c286228
MD5 hash:
ecb41e888e0071a4ec4e9b55190f606f
SHA1 hash:
934f75cc1cf440393c54e7c8e1ed424924899cb7
Link:
https://www.unpac.me/results/3c6d6bd1-6016-471b-9a2f-36742ae833b3/
SH256 hash:
5e0c7ccb47282e4211d39dd15b30d693b2e4bd1794b47237d487754637c659bc
MD5 hash:
21c251f98394d336cdab2ba161a8adc1
SHA1 hash:
2bd2223fe0c94ab1176a3a10d3b1ea54867c8ad4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3c6d6bd1-6016-471b-9a2f-36742ae833b3/
Parent samples :
84ebd97fd1765dc6341db835a8dc4cff8edefd8f263f87e7b1c89b9d60167447
53224dc914e12b6a02b83e05380d13298bc3720f93eea15ee6205dc51aa2a948
b3d5a8673c8f0c5b36f92ad6102af3259457c4f0a72f45e11c1841ae26e37845
7a866c4ebda9c535d197ee8768fa8eafd71a54cee7f13556399aa8baaa059974
f3e85ff8e9a2bc8f6b0f0e75c32e1bb79524da94bbb4da00fcf0f86d477c8da9
685c0426486e575b97363649b440198dda823627b0067ab5e07a39aa830863f7
2fcdf9b821c53b19c9fb4004084559c53c699db27a3359a0d811e5f6189dc260
ba7f9aa187f2834a0e730911db8e70b035a93c5bfd1d98306a1b8841ee63d9a8
6e3a3a740b772fed78f6184d63e0d10290ef1d3b5fee540aa12240ec04b64c5d
76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395
30d4e10628f52ed2bdc6bbfba3825fc778898303dabb1f3262b9dadbc0797a70
f3f7dbd241d5960d5da7a86cb410090d8b85dbbfdf2cf17af4e7738399e6860e
b2444eeadbc421c94ad3d16e895f097b6f7e220c9b18c62cabf12a41f54fa046
SH256 hash:
76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395
MD5 hash:
3e63523bd51914bb24470d038b0ba931
SHA1 hash:
dbdcbb4f6569a517bfc6bcfef584b356fb8a61e1
Link:
https://www.unpac.me/results/3c6d6bd1-6016-471b-9a2f-36742ae833b3/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76d55aec6c6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430560/

Comments