MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9554be09d976e055ba80e2e4e23eb07e7e79331d668dd4d132fbd78969f6f3a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	9554be09d976e055ba80e2e4e23eb07e7e79331d668dd4d132fbd78969f6f3a2
SHA3-384 hash:	90030422aec67703bc582638d736a588d86ce456399e110ff361e4fceac4ec25e66eac00342355740e2ebf7f5bc6ccbc
SHA1 hash:	cc920f1f6bc104246a4d7b367fd5dfceb037a71b
MD5 hash:	28e512171716e8b36d42d52f683b4777
humanhash:	juliet-cup-sink-happy
File name:	invoice.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	940'544 bytes
First seen:	2023-02-22 10:38:11 UTC
Last seen:	2023-02-27 09:03:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:qVL5gbcSAQ9xRbidyRTC6wWlvCjFCtcu:qVL5gAo9xRGdlHWlaj
Threatray	813 similar samples on MalwareBazaar
TLSH	T1F3159C4AB7F09437F99E41BC023912CE5E31A213754DE2261F7B78489D86EFBB1C9252
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

invoice.exe

Verdict:

Malicious activity

Analysis date:

2023-02-22 10:39:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d24c0a4a-8715-4ff1-a8cf-8abe414684e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368930/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f5f0c701b99ad33e7f73ed/reports/0baa5a2a-f1c8-47bd-b81b-f7e74ba54918/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9554be09d976e055ba80e2e4e23eb07e7e79331d668dd4d132fbd78969f6f3a2

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b22b7200-6b3c-4d8b-8965-5c28a03bba18

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1180447

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9554be09d976e055ba80e2e4e23eb07e7e79331d668dd4d132fbd78969f6f3a2/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-02-22 09:48:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 39 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=svkl4cozo3qfloua4lsoepvqpz7hsmy5m2g5jujs7plys2pw6ora._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

518c087ade25bb946d8078fa02548b0b3854c0c4fd3352779d5b9383e44c02be

AgentTesla

53245d962b781d4ecd80a1b763d94c006fbb4c3863629e515c290320a6d30374

AgentTesla

7116f819cf1a305e813cb1bf9d3667fdc18efd1d5ed7e6c5a3afe92c1040addb

AgentTesla

7870fc0f2fdeb1a6d5c5a713da63a813078d07e49d55adb031cc6bbda41ea9a0

AgentTesla

a0dae757f9d64283e6a2020eda06e468222e434443718ff246f6993e8eb29d36

AgentTesla

a530d39c6e1b1505e94f7026eb82191062e6a0f62ddbb03a4bcf0eb295c3d518

AgentTesla

b1df719e729c278931dd9c1012e4a6906f90364053ea25770712444ec21535ce

AgentTesla

cd007e27773f87ed822f914b60667b5639f369e0cc1f533b6f8593589efdb337

AgentTesla

f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775

AgentTesla

+ 803 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230222-mpymmsah44/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

8f226fc359ac39869f50678a4240407a1620114d6be535bd5f1520aca09b62d6

MD5 hash:

6b7111b0ef19643fb08a6006e4925ff4

SHA1 hash:

f524c32897e7a836baaf4087f32cd1642f33b07b

Link:

https://www.unpac.me/results/70fae832-025d-4651-a287-a9da3cf6e925/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/70fae832-025d-4651-a287-a9da3cf6e925/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e

MD5 hash:

301d49f143b4559eebb04d6604c9c806

SHA1 hash:

8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3

Link:

https://www.unpac.me/results/70fae832-025d-4651-a287-a9da3cf6e925/

SH256 hash:

0e8a86c8c740777a445427c9b1ec3b826e94312c5c0175bc3b975a351b696201

MD5 hash:

e2960f44f2277300eaaad2e5b3e9c77c

SHA1 hash:

4e04547445a7b660a35aadd3c445034a932878c7

Link:

https://www.unpac.me/results/70fae832-025d-4651-a287-a9da3cf6e925/

SH256 hash:

4c679e16d9a3bd445398ae086b449ea6838ad5c839ef2a792dbdd2c8d4782587

MD5 hash:

9b7d12e7b04b4707d50863b2f66dfba0

SHA1 hash:

0ccefc8dc45122f31dd969604dc25c7a12aed174

Link:

https://www.unpac.me/results/70fae832-025d-4651-a287-a9da3cf6e925/

SH256 hash:

9554be09d976e055ba80e2e4e23eb07e7e79331d668dd4d132fbd78969f6f3a2

MD5 hash:

28e512171716e8b36d42d52f683b4777

SHA1 hash:

cc920f1f6bc104246a4d7b367fd5dfceb037a71b

Link:

https://www.unpac.me/results/70fae832-025d-4651-a287-a9da3cf6e925/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9554be09d976/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9554be09d976e055ba80e2e4e23eb07e7e79331d668dd4d132fbd78969f6f3a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.