MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659
SHA3-384 hash: 9b2f91c970ca54dc97fadf31dd79d0a536c7573f1c567d6da4c4a4a5409eed61466d76ca19246ad889aabc567c284a40
SHA1 hash: 3c6e002e4af313e32c4d2a91d8118e56f628f523
MD5 hash: fd08abca4e3743827c7f8bb9c69066d9
humanhash: bluebird-coffee-kitten-snake
File name:shipping invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'098'240 bytes
First seen:2023-08-14 08:02:23 UTC
Last seen:2023-08-21 07:26:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:jaBncNRrrSARli7qNNw+lJq9RmVQA66xd/qn80Tj:kcNRrrjRliR+AmVt3
Threatray 158 similar samples on MalwareBazaar
TLSH T19235E160BE399E47D95E09B9404ED30D86B64C923562C2765EFBA0CAD0C77C202DB79F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon a8a6969a9a9a88a2 (3 x AgentTesla, 1 x DarkCloud)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shipping invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-08-14 08:03:32 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/da7b742b-a85c-4455-9e1a-805771f5eaab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442622/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a226bdb-8093-4781-958a-bb50e8286def
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290852
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290852 Sample: shipping_invoice.exe Startdate: 14/08/2023 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 9 other signatures 2->58 7 shipping_invoice.exe 7 2->7         started        11 QvTZcZCAjlv.exe 5 2->11         started        13 fireling.exe 2->13         started        15 fireling.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\...\QvTZcZCAjlv.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmpEC5E.tmp, XML 7->46 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 7->64 66 Writes to foreign memory regions 7->66 68 Adds a directory exclusion to Windows Defender 7->68 70 Injects a PE file into a foreign processes 7->70 17 RegSvcs.exe 2 39 7->17         started        22 powershell.exe 15 7->22         started        24 schtasks.exe 1 7->24         started        72 Antivirus detection for dropped file 11->72 74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 26 RegSvcs.exe 11->26         started        28 schtasks.exe 11->28         started        30 RegSvcs.exe 11->30         started        32 conhost.exe 13->32         started        34 conhost.exe 15->34         started        signatures5 process6 dnsIp7 48 mail.quantumgenetix.com 69.27.116.4, 25, 49725, 49734 VDCCA Canada 17->48 50 showip.net 162.55.60.2, 49719, 49731, 80 ACPCA United States 17->50 42 C:\Users\user\AppData\...\fireling.exe, PE32 17->42 dropped 60 May check the online IP address of the machine 17->60 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        62 Tries to harvest and steal browser information (history, passwords, etc) 26->62 40 conhost.exe 28->40         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 02:07:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2mlufnwf7h55yxnyz7pbg3psqrmemm3j3clib7bj7uslumhuzmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
120efb48724487028465fb5d25db17b9398f56bad7116e54299ab5087104e69b
AgentTesla
26cae4cdeef032aea2bd4ea1c5b88fbfb876bb3dd35a54076356195969fe3611
AgentTesla
5bdc507a5fbaa95fa0ae02fda710c7663c18ac396e9f7b518c21453a83c8acad
AgentTesla
651a4c3e35b647788a3eb33862d90bc7d58912e6e99ffb8a7bd4c759634fe67b
AgentTesla
6ad7d4e5a33b5fe6171a0e49604b83d64af6f026dda89f3c9dbdba7c65bc3379
AgentTesla
9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b
AgentTesla
a456a0fcdedef851458b225f6bae02f6ee4e9ff6e1d479376d3766497aea8ac2
AgentTesla
cf58f75317f4bdf3150cf37739edc9e76952652f4104e16198f3462f0912859d
AgentTesla
d085497cb6b122fc1ba456aff7becbc74bf8b4f9c2bc895932821a60a4536cb2
AgentTesla
e1dfa20210b95ab54c97edfb1ecef7a381c60e337c912242642008851f0bcd57
AgentTesla
+ 148 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230814-jxqefsaf65/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/a2713c23-c85d-41a0-8e2b-f3920252b365/
SH256 hash:
a49a455839453a33147ed5f1c366848f96a79d172fc0d28d1b0028eef24da97d
MD5 hash:
7a57d3d274732311c8b3458649d15991
SHA1 hash:
e8c47cf04f3000c94d7fdc7e92bd407cde26b04a
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/a2713c23-c85d-41a0-8e2b-f3920252b365/
Parent samples :
a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659
52bf42d91cce8764858e3d324a1f85d198722c43f6ae2a3d51e4dc93132bfa50
dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc
SH256 hash:
504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804
MD5 hash:
74ed681a2d7aed1dae5627d4367474f8
SHA1 hash:
cad2df636d3f0710f69fdb18cbae03a332341dd3
Link:
https://www.unpac.me/results/a2713c23-c85d-41a0-8e2b-f3920252b365/
SH256 hash:
9d1e5c33436f839268e092aab593e7f7df2c4d1b51a3b0a9c92e3b611d277252
MD5 hash:
47bac3685c8f26a1128ae464e4249b50
SHA1 hash:
c0ffa6f999c68127d1bed9b994e3cc45185469b1
Link:
https://www.unpac.me/results/a2713c23-c85d-41a0-8e2b-f3920252b365/
SH256 hash:
8973ec20883b3d45af6c843de26bd764bb3ca9346ffe2def89942b1a973f16f0
MD5 hash:
67cda3ec4bee9bf8bb35ea857ac9a5d1
SHA1 hash:
6ca5037103de3a0d69b07610cdb9a4f7ed70c643
Link:
https://www.unpac.me/results/a2713c23-c85d-41a0-8e2b-f3920252b365/
SH256 hash:
a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659
MD5 hash:
fd08abca4e3743827c7f8bb9c69066d9
SHA1 hash:
3c6e002e4af313e32c4d2a91d8118e56f628f523
Link:
https://www.unpac.me/results/a2713c23-c85d-41a0-8e2b-f3920252b365/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a698ba15b62f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442622/

Comments