MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7614db6dcbe0c9a1ade9ac2caec0d1350b78802b5ffa3678ad513ce41ef6d5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	a7614db6dcbe0c9a1ade9ac2caec0d1350b78802b5ffa3678ad513ce41ef6d5c
SHA3-384 hash:	ac4215539bcf95bf23b0e836f0bc743f0643c9df06f313cc5323dc869c2e1a8e5b0d4c0b8c49e68b2526d8b77bd24322
SHA1 hash:	ece6a4754c8655efed335dd795398d6e3417c4d6
MD5 hash:	886c6d07ae020f48b3af4dd6357f558e
humanhash:	sixteen-one-twenty-butter
File name:	Delivery Invoice.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'145'234 bytes
First seen:	2022-11-15 03:06:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:LAOcZXMuDtwtXGhDCh18p3bjLzCXPQMTjbnNSPu:NwteiDVBnCXYMTnNSPu
Threatray	2'240 similar samples on MalwareBazaar
TLSH	T110351301F7D686B1D1B20EB15D296B889DB87E601F289F1FB3E46D3CDA324901125FB6
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	80009085808696a2 (14 x AgentTesla, 4 x Formbook, 3 x NanoCore)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Delivery Invoice.exe

Verdict:

Malicious activity

Analysis date:

2022-11-15 03:09:03 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/e2f9f803-9352-4ece-b0c4-66a574b73344

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/334031/

Detection(s):

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Creating a file

Launching a process

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/52529/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/637302573024da3911e8240a/reports/91c94902-f0d7-47da-a3cd-368312f38da7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/685fb4f8-e6e4-4a8d-8192-fa0253205b99

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1113455

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus detection for dropped file

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a7614db6dcbe0c9a1ade9ac2caec0d1350b78802b5ffa3678ad513ce41ef6d5c/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-15 02:06:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 41 (41.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u5qu3nw4xygjugw6tlbmv3ancnilpcacwx72gz4k2uj44qppnvoa._file

Verdict:

unknown

AgentTesla

2bcd2cd9b7ba2e16ee457931ea8cb0b188655aacd4d7516fc5589009b7199a01

AgentTesla

55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f

AgentTesla

623d9a74747fe5ff5e72eb70d6ba2d2906eab55b5db50d796728e6d7ab492c79

AgentTesla

6ed9a8b54bcf003ce7c30232c4aec5b6e14dd4722238dd153e8d01a1494eca8f

AgentTesla

c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df

AgentTesla

d3d3c216728f58044cae30180c84e75db170ea200860ae9415004f3a0f167ec3

AgentTesla

+ 2'230 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221115-dma9wsef89/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

AgentTesla payload

AgentTesla

Gathering data

Unpacked files

SH256 hash:

fe8f1243f9511c7fc3ba77139846a2da1eb06eea4409f205e4bbf95b9e372d0c

MD5 hash:

e3ff6b04494dce1e8b965e5c25ec20bf

SHA1 hash:

a583e19320332ced5a8ad0d049e74fd686209a09

Link:

https://www.unpac.me/results/c631086e-66a6-4de1-b979-a3eea3ff17f6/

SH256 hash:

78847840bd8a3d631dc5853f51a1081f2ba1aad54f9f5fd732c9fc408d13b06a

MD5 hash:

594e89e2b209429ec6f8f77cfc912359

SHA1 hash:

27bbf3e8370d99c2c2f8bdd0ba524422656016b1

Link:

https://www.unpac.me/results/c631086e-66a6-4de1-b979-a3eea3ff17f6/

SH256 hash:

a7614db6dcbe0c9a1ade9ac2caec0d1350b78802b5ffa3678ad513ce41ef6d5c

MD5 hash:

886c6d07ae020f48b3af4dd6357f558e

SHA1 hash:

ece6a4754c8655efed335dd795398d6e3417c4d6

Link:

https://www.unpac.me/results/c631086e-66a6-4de1-b979-a3eea3ff17f6/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a7614db6dcbe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a7614db6dcbe0c9a1ade9ac2caec0d1350b78802b5ffa3678ad513ce41ef6d5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334031/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample