MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d
SHA3-384 hash: abb3db727488d8f9acb9c5b88f5253dd1c3f6260da4aeda22eead28533052a78e6662eaca397470580c3f559526de8ed
SHA1 hash: 8512515d696683c9c994f9fd8878b1b3b80299d9
MD5 hash: 9b72692e206d68443a96079389898ee5
humanhash: lactose-ohio-mockingbird-colorado
File name:Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:634'368 bytes
First seen:2023-10-12 15:41:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:KMYnQ3j67SESV1eXl8OhA90pEPsL6U6g7t6+BmTsbqK3l2FzeqCrpoYoujW/:KBwfzSTM+qK12FqreaW/
Threatray 364 similar samples on MalwareBazaar
TLSH T172D401046BE68844F3FADF350CF09A885B74A41F7149DB8E0DD653BCB53DB859A00E6A
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33331333690d37c9 (5 x AgentTesla, 1 x a310Logger, 1 x zgRAT)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-10-12 15:43:36 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/236d9551-1520-4789-ad53-8aa432d7bc05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453903/
Detection(s):
Sanesecurity.Rogue.0hr.20231012-1636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Setting a keyboard event handler
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/652813cc28455aedec10657b/reports/4b3138dc-b685-4655-8d8b-3eb1b3e11444/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e0a4004-66b9-4f5b-98ad-541d1ebffc09
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324816
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Copy file to startup via Powershell
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324816 Sample: Invoice.exe Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 34 fast.nsjet.com 2->34 36 api4.ipify.org 2->36 38 api.ipify.org 2->38 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 13 other signatures 2->50 8 Invoice.exe 3 2->8         started        11 anydesk.exe.exe 3 2->11         started        signatures3 process4 signatures5 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->52 54 Bypasses PowerShell execution policy 8->54 56 Injects a PE file into a foreign processes 8->56 13 Invoice.exe 15 2 8->13         started        17 powershell.exe 13 8->17         started        20 Invoice.exe 8->20         started        22 Invoice.exe 8->22         started        24 anydesk.exe.exe 14 2 11->24         started        26 powershell.exe 11 11->26         started        process6 dnsIp7 40 api4.ipify.org 64.185.227.156, 443, 49713, 49716 WEBNXUS United States 13->40 42 fast.nsjet.com 64.37.52.95, 49714, 49717, 49728 DIMENOCUS United States 13->42 58 Installs a global keyboard hook 13->58 32 C:\Users\user\AppData\...\anydesk.exe.exe, PE32 17->32 dropped 60 Drops PE files to the startup folder 17->60 62 Powershell drops PE file 17->62 28 conhost.exe 17->28         started        64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->64 66 Tries to steal Mail credentials (via file / registry access) 24->66 68 Tries to harvest and steal browser information (history, passwords, etc) 24->68 30 conhost.exe 26->30         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-12 15:40:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcdpuxoqolklwi7kknj2yaau2nvvijput7nqwmk2f3kuzrp4ym6q._file
Verdict:
malicious
Similar samples:
0b14d46fe5a5ee8f6fc2e8c4130f731324c8a1a4d8c66933af9c94966cee0192
AgentTesla
4a793a9dfa5fac79c6e6b8f1d36e8719cc8f2849849259f364ee8e4af08d9613
AgentTesla
6ca768e186aca34cce8eb9a3283f2a17a28f9b81281d464a3c80561b4fbaf066
AgentTesla
7635af462a7f7e9d81b98fd583da931c1f7f3ec1394e1ed1bcd773d340193b93
AgentTesla
a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e
AgentTesla
c71870668e949498421240ed94bbee1385a2f71cd3b8efd28656cacfa6966269
AgentTesla
d0475c384cd4d7b6ea2c3460a07c49fd59aafe87841e479d7965c3384ccec67d
AgentTesla
+ 354 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231012-s5cm1abe72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e942f5dfdd728493b42242bb84b061dcb6ff928f8ea18da75d048fdcbda9e25e
MD5 hash:
498c17effdf08dba7bec412868c3ebf3
SHA1 hash:
fb3f9ab2ca5f3dc9b6c4eed1a44712036bbe2287
Link:
https://www.unpac.me/results/6bf47b80-fdf0-4fc8-b8ed-a611536cff16/
SH256 hash:
eb519db5a37497971590d1831b11fddbb78f46e9a56be2d7fa681f2be5260b5a
MD5 hash:
1b61e613201ba3082a7e2bbb203dba73
SHA1 hash:
8c10a68e4c9e8aae473fbc05104e663f7faf3661
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/6bf47b80-fdf0-4fc8-b8ed-a611536cff16/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/6bf47b80-fdf0-4fc8-b8ed-a611536cff16/
SH256 hash:
9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d
MD5 hash:
9b72692e206d68443a96079389898ee5
SHA1 hash:
8512515d696683c9c994f9fd8878b1b3b80299d9
Link:
https://www.unpac.me/results/6bf47b80-fdf0-4fc8-b8ed-a611536cff16/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9886fa5dd072/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/453903/

Comments