MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 873361a4ca66642d8749033b0cb0454a88919c4dbb1555447de234097f8738a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 873361a4ca66642d8749033b0cb0454a88919c4dbb1555447de234097f8738a3
SHA3-384 hash: 52a3ab2b348626e8aefc9b1a0cfa90cf9e592e07cf190f7588b10c19562b05df869a746fd9a68193eb3a29b6af5b8759
SHA1 hash: ba6f8c1c508439f5521be474d5e6bdcf2d3ef9f8
MD5 hash: 084e334a2a25f9c5f33f6d35c4d8e298
humanhash: mountain-finch-lemon-september
File name:invoice2 8b00649.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:294'400 bytes
First seen:2021-04-28 14:55:18 UTC
Last seen:2021-04-28 15:14:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:H6XOutVAUm9IbdUjhic07Sf1kEfOKrt9Xj:azV9m9Ibz7i1kzQ/Xj
Threatray 4'408 similar samples on MalwareBazaar
TLSH E454F1007B39F811C96D69B6AE67C6EE15306F60ED368723B94A360F3734B64DA1D390
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice2 8b00649.exe
Verdict:
No threats detected
Analysis date:
2021-04-28 14:58:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0011d046-cc03-4b1e-afdc-b7f9aa967437

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/145025/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.27073.14548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/700811
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 399325 Sample: invoice2 8b00649.exe Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AgentTesla 2->56 58 6 other signatures 2->58 8 invoice2 8b00649.exe 3 8 2->8         started        12 MSword.exe 2->12         started        14 MSword.exe 2->14         started        process3 file4 38 C:\Users\user\...\invoice2 8b00649.exe, PE32 8->38 dropped 40 C:\...\invoice2 8b00649.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\...\invoice2 8b00649.exe.log, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->44 dropped 60 Writes to foreign memory regions 8->60 62 Injects a PE file into a foreign processes 8->62 16 invoice2 8b00649.exe 2 5 8->16         started        20 wscript.exe 1 8->20         started        22 AdvancedRun.exe 1 8->22         started        24 AdvancedRun.exe 1 8->24         started        signatures5 process6 file7 34 C:\Users\user\AppData\Roaming\...\MSword.exe, PE32 16->34 dropped 36 C:\Users\user\...\MSword.exe:Zone.Identifier, ASCII 16->36 dropped 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->46 48 Wscript starts Powershell (via cmd or directly) 20->48 50 Adds a directory exclusion to Windows Defender 20->50 26 powershell.exe 24 20->26         started        28 AdvancedRun.exe 22->28         started        30 AdvancedRun.exe 24->30         started        signatures8 process9 process10 32 conhost.exe 26->32         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/873361a4ca66642d8749033b0cb0454a88919c4dbb1555447de234097f8738a3/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 14:58:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4zwdjgkmzsc3b2jam5qzmcfjkejdhcnxmkvkrd54i2as74hhcrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0057ff00197742e22424a86c2a38a6b1074ddc27f8edcdebc6d58d7188184d6d
AgentTesla
0a704fefc76e6ffc17e65f30ee849aac5a6d58429689d992952a0101656e44aa
AgentTesla
1d4b81ebf8bf53797d2a87ed7571f787263079e797885e7dc905fa5b3e50079f
AgentTesla
49a845fad0e449da1c85ae57a4ba6613cddbe74bebd9285d64f56159b15c9a7a
AgentTesla
7729b22e74e62c8834ef58e8e6504b6c514c73b26dc92d9fd399ae31b4f7775f
AgentTesla
9feaaac33b02f7cad79f1993ee78c2b7436b23d521dd42a28917220d8c155736
AgentTesla
a4dfee0c949c801fde439c7c5b6a10d5369b2c9658633262a224b036d7197c7c
AgentTesla
a72e3eba5f2be2223c9c60ba37001c6b1c21bb0396246dd212c23793f8b96c48
AgentTesla
d8f7de322d54c0e00485e12571d9f7b3f36cd375b2307ba3ce0d6f04fca582e6
AgentTesla
fbb62d968bdefed10ac329bd93420d9acd82434a2be2f654959071ac85307932
AgentTesla
+ 4'398 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210428-dtn6k9l3tj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
b9ca128b0d8928eefa916f1e3201f44759cd787093bc698ffcbf638bc4b4762d
MD5 hash:
4c9a0e9fb4d2a4c7b7cce5c710af00eb
SHA1 hash:
cde596fdec4a08404f1d7757ae1d23449ce34430
Link:
https://www.unpac.me/results/13d7ffe6-7b9d-4b79-afeb-826979b8b6e7/
SH256 hash:
5528373042ee8c83d480320569f26547185cd5113cd565bc4bca45c1e745dd32
MD5 hash:
cc1fe5fe615c7a85094cf88edddad73f
SHA1 hash:
936860360479e70107ba5ebcc9035fc036430541
Link:
https://www.unpac.me/results/13d7ffe6-7b9d-4b79-afeb-826979b8b6e7/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/13d7ffe6-7b9d-4b79-afeb-826979b8b6e7/
SH256 hash:
1d3a888999ca32eb6e542ec0f6d85e02c02146c7613790b8fb1782302f5e1305
MD5 hash:
7817ab0c491e46dad616cda9802c7320
SHA1 hash:
5e27b216cdb1c433bc9b5b27a5cca59e16392ebd
Link:
https://www.unpac.me/results/13d7ffe6-7b9d-4b79-afeb-826979b8b6e7/
SH256 hash:
873361a4ca66642d8749033b0cb0454a88919c4dbb1555447de234097f8738a3
MD5 hash:
084e334a2a25f9c5f33f6d35c4d8e298
SHA1 hash:
ba6f8c1c508439f5521be474d5e6bdcf2d3ef9f8
Link:
https://www.unpac.me/results/13d7ffe6-7b9d-4b79-afeb-826979b8b6e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/873361a4ca66642d8749033b0cb0454a88919c4dbb1555447de234097f8738a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 66278b8fcd836ebffdda546f17e3698e661a5e3e1550ea502b6a95e357036e48

AgentTesla

Executable exe 873361a4ca66642d8749033b0cb0454a88919c4dbb1555447de234097f8738a3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 66278b8fcd836ebffdda546f17e3698e661a5e3e1550ea502b6a95e357036e48
Cape
Cape
https://www.capesandbox.com/analysis/145025/

Comments