MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a435ed976b1983a69514ad3cc7baec253a58dfc44897da016dad7f03fe9a9a67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a435ed976b1983a69514ad3cc7baec253a58dfc44897da016dad7f03fe9a9a67
SHA3-384 hash: b9c50b77a8667fe148798bfbd5e79c28093b3723c6c9026e24c58a97f313f31aba69a096cb6ba3a4050fe7db11cbfa8f
SHA1 hash: 40790b2c8f61c6e81614b09145b225ac62c02f9c
MD5 hash: 1f12f8d24ffe6797a22075eeb7f4c6b0
humanhash: romeo-one-louisiana-charlie
File name:TNT INVOICE_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:737'035 bytes
First seen:2022-12-15 08:11:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 12288:y6k9g778226SH18d84LdQEhKF8Fob5gyz0cy1COwGBMiwmpz0NQWqfhubjAZ/Lf:8qHm6E18d8uwf0jlBMiwmpzJWqI3AZ/L
Threatray 2'573 similar samples on MalwareBazaar
TLSH T15EF423C3F1A0215DFACF2A376DE95D64F5D108A10A5B2D0302652FA7FF2115A0BD987E
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d4923292e2ccb4c0 (13 x AgentTesla, 7 x Formbook, 3 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe TNT

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
TNT INVOICE_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-12-15 08:17:22 UTC
Tags:
installer autoit agenttesla
Link:
https://app.any.run/tasks/b4cd8df2-a963-42d6-bcbc-d2e1114dbbca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346530/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/639ad6d54eb0cc4ebcdd10f4/reports/b118defa-24fe-4414-a998-954cea2fa756/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31727087-f7ea-4aca-9878-f087ff24636b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1134881
Signature
.NET source code contains very large array initializations
Found API chain indicative of debugger detection
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a435ed976b1983a69514ad3cc7baec253a58dfc44897da016dad7f03fe9a9a67/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-15 00:05:27 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uq263f3ldgb2nfiuvu6mpoxmeu5frx6ejcl5ualnvv7qh7u2tjtq._file
Verdict:
unknown
Similar samples:
3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8
AgentTesla
469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4
AgentTesla
4dd76301d49e42ab1e80372c9983b2cb89b663ea23465e2200f757d02b1ea9d2
AgentTesla
7d9b86175551c82242656b775033e8826604c5c534d241b4fbe0bc934a2bac26
AgentTesla
a7688edb40ec7fb6cce0ff2d8859626b8cabc668578c1c69795e68eed32c94ff
AgentTesla
c14e90c00e4990b3c80a1ed015ad0bf6fdd7fb1d083b7b4d756b5cb74f6c7cd8
AgentTesla
c9cf9f0fa6980019aa3a93b9b25ca2cf14cfad4b4afef12d43a20ece34d2093b
AgentTesla
cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03
AgentTesla
+ 2'563 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221215-j3vlcseh8z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68245048-a1cc-4959-91dd-f25fb8949321
Unpacked files
SH256 hash:
96dd947b749b62452d4e26af9e0b08c2ce7fe84b4c60d89c1d0708399d8d8066
MD5 hash:
d44b895b94cc980f9c849941e576cd78
SHA1 hash:
d97b674d6e0feb6b2bf2304744e0d772b9e6cb28
Link:
https://www.unpac.me/results/186b9246-a90a-414a-abdf-e8acd342f113/
SH256 hash:
e7ca7583a8d5c62d2684993fc63f020374187dee75602664c3a69e6f270f2ef4
MD5 hash:
b6519ca4aa367fb36b8f25b4ee57a563
SHA1 hash:
79aa73b0cc57124a65417cbd6de6a5ae63881609
Link:
https://www.unpac.me/results/186b9246-a90a-414a-abdf-e8acd342f113/
SH256 hash:
59be9ed7e85d933b3a9656a1bdb10b2312b0adb10b16a40faeb5dfadc659fb24
MD5 hash:
97120950305261c99762dd01a0e4f299
SHA1 hash:
869082bb4fe83894c990fd3cd0006598b8eaef03
Link:
https://www.unpac.me/results/186b9246-a90a-414a-abdf-e8acd342f113/
SH256 hash:
a435ed976b1983a69514ad3cc7baec253a58dfc44897da016dad7f03fe9a9a67
MD5 hash:
1f12f8d24ffe6797a22075eeb7f4c6b0
SHA1 hash:
40790b2c8f61c6e81614b09145b225ac62c02f9c
Link:
https://www.unpac.me/results/186b9246-a90a-414a-abdf-e8acd342f113/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a435ed976b19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/a435ed976b1983a69514ad3cc7baec253a58dfc44897da016dad7f03fe9a9a67

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a435ed976b1983a69514ad3cc7baec253a58dfc44897da016dad7f03fe9a9a67

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/346530/

Comments