MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d
SHA3-384 hash: 89b0cdcf06289ffd7844fa0803cdd951866523bf344b17da087c2fef0d4651e93086ca75e06ca488a3111b105fa8621e
SHA1 hash: c4ae56300756262762949a3126c52ace92b1f100
MD5 hash: bda27ed6f93529d2765fd10779de47e0
humanhash: mountain-victor-oscar-cup
File name:invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:729'600 bytes
First seen:2023-08-01 10:42:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:C1tNZ2DrH2feOIVGEPQKC0/6Q5SZUmwhE5/i5z42ZjE:wtv9APQKzkPOZjE
Threatray 925 similar samples on MalwareBazaar
TLSH T119F4F10172AA5FA7C5BB93F81960F41057F56DAF2179E3299EC270CE1632F104A91F2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-08-01 10:45:41 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/ada582a6-0f95-41fa-97a7-00aa8fd60782

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439537/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.92482.18957.10343.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Setting browser functions hooks
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c8e1baa108b876ac84babd/reports/9b69ac7b-e3ac-4bb6-b8e8-cb6bc6c327ad/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a5c81080-ffd5-4604-9154-50d21e49cbb6
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283621
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 03:42:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o72czbflezxfzn6dvrcx4msiotd3ny5r6zazdlndhpflqlztuv6q._file
Verdict:
malicious
Similar samples:
1c49730d3f661ceb983be9443e1ee63c81c28c9730507bf96b0e36f857f2e8ed
AgentTesla
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
AgentTesla
88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf
AgentTesla
91cebe14386e053247997445208e08475f64480520316f826e252dd11431e240
AgentTesla
974299d11689e7d89d4994a9e64c6e1db9516ac3a085c079f2be6b2491aa1dfd
AgentTesla
9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0
AgentTesla
e163660f2b270299aa1ff5846e0b7b8d9eac1f91ad2d3f5cfe3cfc261123bdcf
AgentTesla
e2357821cf4c5c1991d7751e1ddad32d833979c37dcb9c51013b9bf403f615bf
AgentTesla
e3643d141c0e87b3304f3b015f1e8dbbbe273e9a8bb93906991fe61a3073f891
AgentTesla
+ 915 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230801-mr866agd41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b1df96bc85541a7b126c067c741fc00c7017b0d421bddb5b9db25abd0e824740
MD5 hash:
4b1f77602db22d7bd35348338bf6f8d9
SHA1 hash:
e0e4519318747d8227e608188fd55b676c97cc78
Link:
https://www.unpac.me/results/373749b4-f6a5-463f-8fb1-e9c7a8e8bbcf/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/373749b4-f6a5-463f-8fb1-e9c7a8e8bbcf/
SH256 hash:
b6ed0e2acdcc4d901ed3f8ecbc04d7f889bdcee147b20577a4599d0ba5a07dd5
MD5 hash:
f3a1b3d21ddc05865bf5a9b53e965e00
SHA1 hash:
78b6f4c58b905cf9ce2613a042f2b1f9686627d9
Link:
https://www.unpac.me/results/373749b4-f6a5-463f-8fb1-e9c7a8e8bbcf/
SH256 hash:
dcbd8442762f90cd583050546d2eb8ce4d06dc1c786d16e93651cff0827b6312
MD5 hash:
145ffe28b2e53f9ab5cf7a21e43157fa
SHA1 hash:
639421307a16f0bec62a15f3ce46535faed8babe
Link:
https://www.unpac.me/results/373749b4-f6a5-463f-8fb1-e9c7a8e8bbcf/
SH256 hash:
77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d
MD5 hash:
bda27ed6f93529d2765fd10779de47e0
SHA1 hash:
c4ae56300756262762949a3126c52ace92b1f100
Link:
https://www.unpac.me/results/373749b4-f6a5-463f-8fb1-e9c7a8e8bbcf/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77f42c84ab26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439537/

Comments