MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2340963087eeade7fcdae5b1dfb1b45680247aee534d34b546711cf2a4d8a98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2340963087eeade7fcdae5b1dfb1b45680247aee534d34b546711cf2a4d8a98
SHA3-384 hash: 7832194ca53b130e9ff7a9b6d550170cf474b276455ec7437e51a25bd9718423d73747a9710074f8e521ea9e0440e2b2
SHA1 hash: 13b967d09e8fda77ada3a9c6f2c9952bfa3bb317
MD5 hash: 084ff8ec48c4a375bdf449dfb85207e2
humanhash: pennsylvania-zulu-skylark-neptune
File name:Proforma Invoice #15032016-A001..pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:737'792 bytes
First seen:2022-05-24 12:32:41 UTC
Last seen:2022-05-24 13:48:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8j1EQOUfL1gFdUWfPfn186/R8NoT6ooIv5EdvgJyOhsbTcWAKCt7gV:8J126V6/R8NYrv5EdvgkOGbTcJk
Threatray 16'450 similar samples on MalwareBazaar
TLSH T18CF4F005B6A6CF13C36816B6C1D3112813B5958A8733D3973EDA61D60D027AABDCE78F
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2961d3133038ee8 (24 x AgentTesla, 18 x FormBook, 8 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Proforma Invoice #15032016-A001..pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 03:34:28 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/582879ae-71c4-4e38-859e-6e79a492d059

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274068/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe wacatac
Link:
https://www.filescan.io/uploads/628cd0bb054dcf0ecae79d17/reports/7b9c0a5d-47aa-4332-830d-d95bfcf0185a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d616c4f3-312c-4877-ac49-7a29c93f5378
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000619
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633110 Sample: Proforma Invoice #15032016-... Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 14 other signatures 2->60 7 Proforma Invoice #15032016-A001..pdf.exe 7 2->7         started        11 hVOaD.exe 2->11         started        13 hVOaD.exe 2->13         started        process3 file4 36 C:\Users\user\AppData\Roaming\SNuikbLDz.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmpFF66.tmp, XML 7->38 dropped 40 Proforma Invoice #...6-A001..pdf.exe.log, ASCII 7->40 dropped 62 Adds a directory exclusion to Windows Defender 7->62 15 Proforma Invoice #15032016-A001..pdf.exe 7->15         started        20 powershell.exe 24 7->20         started        22 powershell.exe 25 7->22         started        24 schtasks.exe 7->24         started        64 Multi AV Scanner detection for dropped file 11->64 signatures5 process6 dnsIp7 42 smtp.yandex.ru 77.88.21.158, 49769, 49770, 587 YANDEXRU Russian Federation 15->42 44 smtp.yandex.com 15->44 32 C:\Users\user\AppData\Roaming\...\hVOaD.exe, PE32 15->32 dropped 34 C:\Users\user\...\hVOaD.exe:Zone.Identifier, ASCII 15->34 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->46 48 Tries to steal Mail credentials (via file / registry access) 15->48 50 Tries to harvest and steal ftp login credentials 15->50 52 2 other signatures 15->52 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b2340963087eeade7fcdae5b1dfb1b45680247aee534d34b546711cf2a4d8a98/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 10:23:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wi2asyyip3vn476nvznr36y3ivuaer5o4u2ngs2um4i46ksnrkma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23
AgentTesla
2b001efb73728bc1e2eb6673245d9ce216a70b7b67c779824905ed29eda85038
AgentTesla
4303985ee7b44ba9c01edd967873f8b12df0dcd267f48df10962b3368e01ff82
AgentTesla
5bf9f321e795da8caa68cef487b457a673fc98aca56cbbcf70fdf7f180d32ec9
AgentTesla
b3587ff41c4ab5cfd37aa464d4f32ec71e86860b9089da3ea4df459a3d44b446
AgentTesla
fb6c380b910cba16a60426c3671d3b19e5a90fa1061769178edc7a0821c8224f
AgentTesla
fb72ec8effa840d66cb8783f6045590f7296d2df886b9ac5db48a684a3f87e29
AgentTesla
+ 16'440 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220524-pq62hsadd2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
a23fb2634db6102f92d42b34b65f3517965bd69d2d480a0cab3e34f535f6be65
MD5 hash:
5cbf6cda407274dc77f2dcc0f03882f0
SHA1 hash:
ee7628c1318b99cd2fe6208ed5a93a7ab6fa0afb
Link:
https://www.unpac.me/results/8b9bf9ca-2d56-49d1-b5db-9bcd05a4a8bb/
SH256 hash:
a86c87efeff8818db401cbe2766173360af391deefbe8969c48b3e6735f093fc
MD5 hash:
3f1a3aa892cf1c99498174e1b1ce645f
SHA1 hash:
965f19b887864b51fe2ad602319035de8261a290
Link:
https://www.unpac.me/results/8b9bf9ca-2d56-49d1-b5db-9bcd05a4a8bb/
SH256 hash:
7fc3a061a6e1994477839381444ed4f983946612d0089e6831bd2bade175f9ca
MD5 hash:
748acb34a51e6c4974b38c39ae84f3fe
SHA1 hash:
89b81512a0111f8c4e43387fd26cc253b35fa07e
Link:
https://www.unpac.me/results/8b9bf9ca-2d56-49d1-b5db-9bcd05a4a8bb/
SH256 hash:
0e272db5ae82fa509675746c0570de42e505339e6c66076e8260913d9fbaa4b6
MD5 hash:
9e3f369b325240d3329367aed8dd1a26
SHA1 hash:
78645cdf408d5049b2b8df039dd0478e7d4df8de
Link:
https://www.unpac.me/results/8b9bf9ca-2d56-49d1-b5db-9bcd05a4a8bb/
SH256 hash:
cce2c40c48a6eebe75b0998e5b5adebf33bd488c271a3754c20a41bd97c85ba1
MD5 hash:
a834e9d65976288ee3e08fde4fe6bde6
SHA1 hash:
162de64c9e6d3d20453babec33df071558fa83a8
Link:
https://www.unpac.me/results/8b9bf9ca-2d56-49d1-b5db-9bcd05a4a8bb/
SH256 hash:
b2340963087eeade7fcdae5b1dfb1b45680247aee534d34b546711cf2a4d8a98
MD5 hash:
084ff8ec48c4a375bdf449dfb85207e2
SHA1 hash:
13b967d09e8fda77ada3a9c6f2c9952bfa3bb317
Link:
https://www.unpac.me/results/8b9bf9ca-2d56-49d1-b5db-9bcd05a4a8bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2340963087eeade7fcdae5b1dfb1b45680247aee534d34b546711cf2a4d8a98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b2340963087eeade7fcdae5b1dfb1b45680247aee534d34b546711cf2a4d8a98

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274068/

Comments