MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81b0167be4ea2120f1cf3588e8517ed0d05dc5a15ef70d5fae3010b4312209e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81b0167be4ea2120f1cf3588e8517ed0d05dc5a15ef70d5fae3010b4312209e3
SHA3-384 hash: 7683ac1fb432f1e35a7650df7e0323e345c5b53c9a7796563c9797913633c9da24a25b1f57b039817aa33abecb06a75d
SHA1 hash: 99af4362313f54bf8497854b40b8064388a1ebb8
MD5 hash: a5e92d89b3398e4583fb8721e122be39
humanhash: georgia-mountain-batman-seventeen
File name:49204695, invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:821'248 bytes
First seen:2023-04-06 07:45:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:RA32iNpVDAu5oWAJoWPGo0eNq/qUwNtjK7Res3xoU4o/Lj1y9972rS:q12KjAOo+eY/Czm7fhTLE6O
Threatray 61 similar samples on MalwareBazaar
TLSH T142056A521D6242C2C8B90F7444B93A4817B5AC538FE4903E7D82797F8FFAB9B54893D2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49204695, invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-04-06 07:46:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb07d798-69b5-44e7-aff8-372b440137b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380576/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/642e78bbdb2ad5a3310f137b/reports/e08b54d8-50c4-4582-8f5b-02da20de1ed7/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/81b0167be4ea2120f1cf3588e8517ed0d05dc5a15ef70d5fae3010b4312209e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b290278-d5cf-4947-8c52-d02097eb3b7e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209483
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842398 Sample: 49204695,_invoice.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 7 49204695,_invoice.exe 7 2->7         started        11 oGPuJpGSVb.exe 2 2->11         started        process3 file4 25 C:\Users\user\AppData\...\oGPuJpGSVb.exe, PE32 7->25 dropped 27 C:\Users\...\oGPuJpGSVb.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp90C0.tmp, XML 7->29 dropped 31 C:\Users\user\...\49204695,_invoice.exe.log, ASCII 7->31 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->47 49 May check the online IP address of the machine 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 57 3 other signatures 7->57 13 49204695,_invoice.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        53 Multi AV Scanner detection for dropped file 11->53 55 Machine Learning detection for dropped file 11->55 signatures5 process6 dnsIp7 33 esmod-syrie.com 174.142.186.164, 49696, 587 IWEB-ASCA Canada 13->33 35 api4.ipify.org 64.185.227.155, 443, 49695 WEBNXUS United States 13->35 37 2 other IPs or domains 13->37 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->59 61 Tries to steal Mail credentials (via file / registry access) 13->61 63 Tries to harvest and steal browser information (history, passwords, etc) 13->63 21 conhost.exe 17->21         started        23 conhost.exe 19->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81b0167be4ea2120f1cf3588e8517ed0d05dc5a15ef70d5fae3010b4312209e3/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-04-06 02:36:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgybm67e5iqsb4opgweoqul62dif3rnbl33q2x5ogailimjcbhrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d2d3cc50572a90b68558d070375be0474a2294f5cc1d4ac0249b19f21d12d8b
AgentTesla
0d3e49d997a7f0261e9ba685ef0e91e5b51aa44c2c44e93d6c53621b9cea7a63
AgentTesla
15521c63c4acf711edeacb072031aaf7c8eec1b8dfdaf364ffd3e9f71fa66cff
AgentTesla
5d89fd91fbb0c2d4d75df1bde8c233dc0fe3e576966a5ab65b231ecc58935272
AgentTesla
7c69c8b13870df342b88a74c4593de7cdafd313516a613e6d2c358654989b197
AgentTesla
851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3
AgentTesla
86427b8288b61c876a94f3d5226fb04f843ee245ad937dcdb4b974e81ec8b404
AgentTesla
f9e83b0a37210c05f53c608019e724d00a92a4addb4f7c21b024897fd121ec1c
AgentTesla
fbf65313c5df97b4605857a062c5f4161d189395369346927520cc2811a1a711
AgentTesla
+ 51 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230406-jlyxfsca79/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6ed5754774ca845ea9082b30abb01d1db00078035c800d347212d21778ae5b72
MD5 hash:
656856ebecb29670e0e8fa56046e5eb4
SHA1 hash:
954b5a1bca5190305e1245b041dddcd487e28924
Link:
https://www.unpac.me/results/8a60a2d2-853b-42b0-bc6b-777e9fe2a8eb/
SH256 hash:
a5fec14395f4457c650615e862bdf73e58a970cf8221a60cd7bac9e347773b19
MD5 hash:
cdbb0fd3b92a1c441bfd182ca9708e65
SHA1 hash:
830ec15c630a6b5b3803f9b5e0d23cc3694bb4ca
Link:
https://www.unpac.me/results/8a60a2d2-853b-42b0-bc6b-777e9fe2a8eb/
SH256 hash:
57fa9cbf99b09e323fb0653b08c2c05b401f4c14da23cf5f276dc2d524712816
MD5 hash:
fbd87855aa9c4efb54e4c5e9174b36ba
SHA1 hash:
5ee752b935286b4017f7753e16c7cfb5492df530
Link:
https://www.unpac.me/results/8a60a2d2-853b-42b0-bc6b-777e9fe2a8eb/
SH256 hash:
97eb076252deac8dbfdf9c6bef1cd9a94016a928d3a2e87a0d255facf353f848
MD5 hash:
f74062371d4d731d507397a370704bed
SHA1 hash:
e17cc393f3e7dc6dd071e3ec406c6c4dd91b2a6f
Link:
https://www.unpac.me/results/8a60a2d2-853b-42b0-bc6b-777e9fe2a8eb/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/8a60a2d2-853b-42b0-bc6b-777e9fe2a8eb/
SH256 hash:
81b0167be4ea2120f1cf3588e8517ed0d05dc5a15ef70d5fae3010b4312209e3
MD5 hash:
a5e92d89b3398e4583fb8721e122be39
SHA1 hash:
99af4362313f54bf8497854b40b8064388a1ebb8
Link:
https://www.unpac.me/results/8a60a2d2-853b-42b0-bc6b-777e9fe2a8eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81b0167be4ea2120f1cf3588e8517ed0d05dc5a15ef70d5fae3010b4312209e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380576/

Comments