MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771
SHA3-384 hash: 6c760eac67fad8dcc91d3e587b28ab57dc70a5bb35ecfeb31495ecd640dfdd515b9da89db77db3f6c23673c387e61e31
SHA1 hash: a794aff2fc1f13a994582f1e7d47fe0a24bf7eb5
MD5 hash: 2e0065f9a697ab128120a8e56a2f7d35
humanhash: west-item-artist-idaho
File name:Bank Copy.jpg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:770'048 bytes
First seen:2021-07-12 20:56:16 UTC
Last seen:2021-07-14 07:38:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:aZ56P1XN5GnTOdU+CHpZsPBcbRei/vuRjYNNQKv4cU5bOa1lEeTl4P9Mo+7vUVLi:A6Pcb44vuRkNT28xD/+rc
Threatray 6'601 similar samples on MalwareBazaar
TLSH T186F47B3C23BDA609F23BFF719F90B2459FA6767A9226D14D5CC4020A5821D81FEB7532
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank Copy.jpg.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 20:59:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8600a526-b69d-476d-ad08-c3009bcedc91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171186/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/866bec6a-e08f-4532-a7f6-8043d6dc8121
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/815161
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447572 Sample: Bank Copy.jpg.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 88 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Uses an obfuscated file name to hide its real file extension (double extension) 2->47 49 5 other signatures 2->49 7 Bank Copy.jpg.exe 7 2->7         started        11 Battery guage.exe 5 2->11         started        13 Battery guage.exe 2 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\LtveTbNfj.exe, PE32 7->29 dropped 31 C:\Users\...\LtveTbNfj.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmp77B9.tmp, XML 7->33 dropped 35 C:\Users\user\...\Bank Copy.jpg.exe.log, ASCII 7->35 dropped 51 Injects a PE file into a foreign processes 7->51 15 Bank Copy.jpg.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 schtasks.exe 1 11->21         started        23 Battery guage.exe 2 11->23         started        signatures5 process6 file7 37 C:\Users\user\AppData\...\Battery guage.exe, PE32 15->37 dropped 39 C:\...\Battery guage.exe:Zone.Identifier, ASCII 15->39 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->41 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 19:39:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 29 (51.72%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rd6hbmntbh6qbuegfhnqdsi7dn66l46ulhxodyyxqkxoh6axe5yq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01330ada2211171d1bb5db977363a94cea239c455ea8c2fabea401a29b1c8143
AgentTesla
185b9c602b6bb5a090f8f082d5078dc39c43edd4d7bef6a5a632cf56fae99970
AgentTesla
20dbea65f9ea5d713ead877a8fdca2bb606af820520ea99fafcef39fc7652ce2
AgentTesla
294d3baa6d4e6b9d6e55fd9c67072d0d27f3786a4abb6b27c32fa977778fd94e
AgentTesla
2cda5a819c37bfd8d72c1d55fd1caaccbc8e4b18ee3f6531923d272ffba6f6a9
AgentTesla
2ff93944081c104e8175f5209255c50e92d65f8a3e35fbf01c5f6f46237575af
AgentTesla
5219d7954b75149f01d407ecf6cca2d3ce959b9cc8a54dd34bb31d50673901b7
AgentTesla
8156ce4621048984bce4875898da52376777c2380543fd353de5af5b72c5ebca
AgentTesla
9d2456c99b93373a3c4aa7704bb02363336af433de86dc7c6ff5361dd05216fa
AgentTesla
ad39169af0ebe9afeba1bc9947951d8235f938f95fb266282860115bc1cad4a4
AgentTesla
+ 6'591 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210712-22vlmyhdrx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
83875332113bb3a9617ee98898cff21f4776c213031d15b87e230dc1508bb8c7
MD5 hash:
00146037825e74badedff8c884b00125
SHA1 hash:
c9f37cd23ff852dfafa3aa3dd78d4db1792a4eaa
Link:
https://www.unpac.me/results/065dc64a-bb1f-4c8e-b262-af360e4ff96d/
SH256 hash:
892319153cce881d81ec69c5fbe4d29b9a23351cbb599057a97ee3dafc71e5ce
MD5 hash:
b2f72a52e5acc0ce6417a8d19b882ba0
SHA1 hash:
7953cad510c6fe13cfeb283dd38ef2bcb835f79a
Link:
https://www.unpac.me/results/065dc64a-bb1f-4c8e-b262-af360e4ff96d/
SH256 hash:
cdb21e7ffdb79b75a9fe0e4e04c2887572f3ac9252a05abe7205c30cf083ac4d
MD5 hash:
df4a103d412dea89b580da939eb620ea
SHA1 hash:
51c49338ecc24a8fd6c52ebef3b0d2f3439b8523
Link:
https://www.unpac.me/results/065dc64a-bb1f-4c8e-b262-af360e4ff96d/
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/065dc64a-bb1f-4c8e-b262-af360e4ff96d/
SH256 hash:
88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771
MD5 hash:
2e0065f9a697ab128120a8e56a2f7d35
SHA1 hash:
a794aff2fc1f13a994582f1e7d47fe0a24bf7eb5
Link:
https://www.unpac.me/results/065dc64a-bb1f-4c8e-b262-af360e4ff96d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/171186/

Comments