MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58
SHA3-384 hash: 2bb46a90ae0817eebdbe85ddd3918d8468b7a960f486d1e6fe964f67b543d4048a59dee3803afeb50d732f2cf60b1bac
SHA1 hash: e35600cbdca1a72a590823adc44a6714eae92b2c
MD5 hash: 52a8103aec5fad2ffcbba8062ee6a2c5
humanhash: fanta-fillet-hotel-potato
File name:Payment Slip_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'137'152 bytes
First seen:2023-03-03 08:52:12 UTC
Last seen:2023-03-03 10:39:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:eWhbSHFhGZdPpnkx6k53C3JRL+MyJd2uHErr5fr2oJ+kSlrnbA:DhbSlhUdKzZCJ4M8d2CEH5fvJj2n
Threatray 1'104 similar samples on MalwareBazaar
TLSH T10C35762809FC0EF28571F1FD9FD4E753BE808CE6AA049D9A92834B89551395720AFD3D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0060696971696000 (10 x AgentTesla, 3 x Loki, 3 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Slip_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-03 08:53:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/07883c5a-69b9-46e1-a4f5-1edb6fb8d81d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371340/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6401b570bfec0852a68eb3ea/reports/310336fa-ee8f-46c0-8816-7ba99e5669d1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3c6c15d-49ef-4e41-b3ad-a6ea90c4f679
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186380
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 05:37:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 25 (80.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=stvyp57djgpxq5poueajxcn324fklsm3d6bhksvmhwzbnken7jma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c
AgentTesla
216509ca0f82c10daa1b7ea155f150766effa1270b1cc4d946f7b6d26851f092
AgentTesla
5b62fd08b3a979449bc21a217e7057e710e5a66ab1f4159a935db45629e24156
AgentTesla
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
AgentTesla
883a76e3bd674d75abce5d85c78a92250b057e1cdf5c65aa80ca40ce9df5901a
AgentTesla
96c1f2e81dd6ac90324fe3eebbbd592670b5769adf64c8a73fb345d1749d4b02
AgentTesla
c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65
AgentTesla
f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775
AgentTesla
f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1
AgentTesla
+ 1'094 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230303-ktap9sgc3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d8ec03c34a5f3bd93effeafc2e078ade5df75d468dae5208937c69be4fecfe7f
MD5 hash:
cd4b7952d18e1459bae379e5da7f6afb
SHA1 hash:
e09367a20c19427dae20b53cbe761d1b21272c36
Link:
https://www.unpac.me/results/19ca2a09-3ee1-47ee-ab2b-90bf408fba17/
SH256 hash:
f5f89d7ac31ee2cebe67c1c4eb90068cdea479ed552d31af5fda7e00725f2cbd
MD5 hash:
3660108e6b063de4cf3a4c56f548fed5
SHA1 hash:
df79f4cec43d878f7fb05c9cba06d4a3abc53d84
Link:
https://www.unpac.me/results/19ca2a09-3ee1-47ee-ab2b-90bf408fba17/
SH256 hash:
1bab001c090f2f208e39247f8eeaeb77a0740bc9be7fa755cd57a863b3d22dd3
MD5 hash:
90b3109cf9cc5342015fc1583a78b282
SHA1 hash:
bdddff1c96296a0dc9f8d808e3b2d5829a15d2d2
Link:
https://www.unpac.me/results/19ca2a09-3ee1-47ee-ab2b-90bf408fba17/
SH256 hash:
8bef0ec74b927ac081ee6de8852a0f6355e12f2fee84c559973143a440be6e83
MD5 hash:
5f722a6c12149fed72723488b5d960f8
SHA1 hash:
8e8379dff4eb546fec46811332af009bb972cbcf
Link:
https://www.unpac.me/results/19ca2a09-3ee1-47ee-ab2b-90bf408fba17/
SH256 hash:
564ac12f8b153a6abd2a6ddcc97cc14ad643e05df708b9d5eae3003172c4f975
MD5 hash:
f6a075321fc992b952942435395780ab
SHA1 hash:
30900f80368ffaabc5d7ba3f237e9774fd782495
Link:
https://www.unpac.me/results/19ca2a09-3ee1-47ee-ab2b-90bf408fba17/
SH256 hash:
94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58
MD5 hash:
52a8103aec5fad2ffcbba8062ee6a2c5
SHA1 hash:
e35600cbdca1a72a590823adc44a6714eae92b2c
Link:
https://www.unpac.me/results/19ca2a09-3ee1-47ee-ab2b-90bf408fba17/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94eb87f7e349/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/371340/

Comments