MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180
SHA3-384 hash: a9a9f688fd60cc90bf4b49b4cf4ecfa44b44a27503f0dcfe5d9b260555fda5e79e5d3814f79c7e5104c189b474d63f57
SHA1 hash: a2808a83e32b5517b8ec2b489ef0528d400ed93f
MD5 hash: ca6edf7025270d9dde5c570d68f1b8ec
humanhash: april-sixteen-texas-football
File name:IMG_1376092pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'895'424 bytes
First seen:2023-06-22 07:51:59 UTC
Last seen:2023-06-22 08:28:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:isM5YKm643Y++Ly117OyyEi+81B2ujfFYbFL3+:H3
Threatray 4'825 similar samples on MalwareBazaar
TLSH T182953AE8D8EA44D2E407E9F05C38FAA10532BEA3DCD90C243F2DB5455F7A95229B5D0E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 74ecccccd4e8f4dc (5 x AgentTesla, 1 x AsyncRAT, 1 x SnakeKeylogger)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
3
# of downloads :
251
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_1376092pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-06-22 07:54:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9bdab47d-4867-4b94-b050-6aa50d11d938

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401591/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6493fda49d44d31f835c1689/reports/9231a3e7-976f-42c1-897d-aac75123419f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/956e775b-17e2-4a22-ba4c-7e0d5230202e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259506
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 892525 Sample: IMG_1376092pdf.exe Startdate: 22/06/2023 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 7 other signatures 2->46 6 Klevwuyhcwh.exe 3 2->6         started        9 IMG_1376092pdf.exe 1 3 2->9         started        12 Klevwuyhcwh.exe 2 2->12         started        process3 file4 48 Antivirus detection for dropped file 6->48 50 Multi AV Scanner detection for dropped file 6->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->52 54 Machine Learning detection for dropped file 6->54 14 Klevwuyhcwh.exe 14 2 6->14         started        22 C:\Users\user\AppData\...\Klevwuyhcwh.exe, PE32 9->22 dropped 24 C:\Users\...\Klevwuyhcwh.exe:Zone.Identifier, ASCII 9->24 dropped 26 C:\Users\user\...\IMG_1376092pdf.exe.log, ASCII 9->26 dropped 56 May check the online IP address of the machine 9->56 18 IMG_1376092pdf.exe 15 2 9->18         started        20 Klevwuyhcwh.exe 2 12->20         started        signatures5 process6 dnsIp7 28 api.ipify.org 14->28 30 server1.sqsendy.shop 63.250.35.178, 49714, 49718, 587 NAMECHEAP-NETUS United States 18->30 32 api4.ipify.org 104.237.62.211, 443, 49713, 49716 WEBNXUS United States 18->32 38 2 other IPs or domains 18->38 34 173.231.16.76, 443, 49717 WEBNXUS United States 20->34 36 api.ipify.org 20->36 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->58 60 Tries to steal Mail credentials (via file / registry access) 20->60 62 Tries to harvest and steal browser information (history, passwords, etc) 20->62 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 16:43:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpziw7llxuah5rycq5idvps6ahmqv3zbewysq7eyy2vk4dg4igaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09d70a9a22f7bf12c1a6354b1d90d426e1223576d27ba855f6f48d78bf508833
AgentTesla
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
AgentTesla
3bf7b7244aaf94354649a6fcecee9add95d2e4768e8d60fb342202801ab16139
AgentTesla
41250765ce8be9fb830cfd0ca91b82a7018d7859b6cd90a80de2f83eb365cc2b
AgentTesla
415dba49ad160b272fc159f4a7eacba2990c09f0941127acb8c3366fe7866c12
AgentTesla
5404c10cf88a5d915b78fcc822cb3ba3139ad4ed9cdacbf6c82dd070c4e1bc4b
AgentTesla
5ab22e56eeec62218a25df2b827421b501188978e80fa4ec531479d38ea3f5f2
AgentTesla
a2568c55311566d7907ad76b9b833d696ca45eb06b06e581a1e673d4442c613e
AgentTesla
c3d484451f9d0cf5aa68dfeceed67b5853cd2780512129668e9fdd98bc5490de
AgentTesla
c7eb221558c49c1bc163ed223f2fd9847c4f1bce98401c779cbcdd5738b54edc
AgentTesla
+ 4'815 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230622-jqdr3sdb49/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0b905272fa9975536188ab11ef27dca1658a41ac3076aa07213ff20695cc3b68
MD5 hash:
4cc9eff269022ab111e740000f022f2a
SHA1 hash:
9c0ebfffb6632c7c4b55b9dd4157f825d406413c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/bb612348-86fa-4f24-b539-c2a8576c2e33/
Parent samples :
c7eb221558c49c1bc163ed223f2fd9847c4f1bce98401c779cbcdd5738b54edc
abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180
SH256 hash:
806c135f8e1816af73c6b7dc369fb34bfa0dc0a318c4fe4f3a4f46ab249abb14
MD5 hash:
7e4adcc44336a33af3dc6c149e381a14
SHA1 hash:
71fd72e6560bf0a9a52531086efe155a13fe1f51
Link:
https://www.unpac.me/results/bb612348-86fa-4f24-b539-c2a8576c2e33/
SH256 hash:
5faa526361fc0de0674d860df69ebb4a23b9d03f8e9fd23d9745223ba1de2dcf
MD5 hash:
f68a3833f5cc3983926ef491cbf9b5a7
SHA1 hash:
5a9ee963788eb6104c7480f74aeec7e5c81016b9
Link:
https://www.unpac.me/results/bb612348-86fa-4f24-b539-c2a8576c2e33/
SH256 hash:
c40f33afa26ac645338678073daa2ae05ae0a99efbb14fadaa6b30214e5d92e1
MD5 hash:
a50d67a66880c104a929dd8496a8c57c
SHA1 hash:
2e3501e32e75de52c65d81ceca7adf8a6d30d62a
Link:
https://www.unpac.me/results/bb612348-86fa-4f24-b539-c2a8576c2e33/
SH256 hash:
abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180
MD5 hash:
ca6edf7025270d9dde5c570d68f1b8ec
SHA1 hash:
a2808a83e32b5517b8ec2b489ef0528d400ed93f
Link:
https://www.unpac.me/results/bb612348-86fa-4f24-b539-c2a8576c2e33/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abf28b7d6bbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z bb751eb04ae7aa257cee9012a1f20eab6cabd1881724d2b840bad65f01ecf950

AgentTesla

Executable exe abf28b7d6bbd007ec70287503abe5e01d90aef2125b1287c98c6aaae0cdc4180

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 bb751eb04ae7aa257cee9012a1f20eab6cabd1881724d2b840bad65f01ecf950
Cape
Cape
https://www.capesandbox.com/analysis/401591/
  
Dropped by
MD5 2bfdf798235026ade8ccb4117c6be953

Comments