MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba43866447e97dea2a94cfb5ae8974be90809331cb9d90ab5abf6f1d8dcd49f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba43866447e97dea2a94cfb5ae8974be90809331cb9d90ab5abf6f1d8dcd49f2
SHA3-384 hash: e467d46cfff6a412122835eeaf67411eb592400941d6b928b291e8f7817972f818def6ed90626d959a41359d3863e9d1
SHA1 hash: cc9cdfe7ce44bd95ed74e11587e3f5b93d0d25b3
MD5 hash: dc48ca374b69315b5b781f074453d3b8
humanhash: carpet-cold-three-juliet
File name:Payment Advice doc.bin
Download: download sample
Signature AgentTesla
Create hunting rule
File size:567'296 bytes
First seen:2022-06-28 10:14:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'880 x AgentTesla, 19'800 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 12288:o+fo2iN/2iNR0ATQP5Uo92jwnvKgwOR0/flPwlPkPRxliW1:Dfo1J1ZTWUokMnCfOClEkPRrh
Threatray 18'957 similar samples on MalwareBazaar
TLSH T133C4128D26F48B19E5FA87F8299C57141BB9B00EEAD5D50FBCE522CEFD203B44251A03
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:AgentTesla exe HSBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Payment Advice doc.ace
Verdict:
Malicious activity
Analysis date:
2022-06-28 10:13:18 UTC
Tags:
agenttesla trojan rat
Link:
https://app.any.run/tasks/fd6174d8-c7ab-4074-aa3e-ea2c97f9a55b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283873/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bad4aefb0f8ab80892dd4e/reports/05e76d75-27f6-4a43-bdde-ccc9588bdab9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15303a06-a18c-4c60-a50e-72896086cd5f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021084
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ba43866447e97dea2a94cfb5ae8974be90809331cb9d90ab5abf6f1d8dcd49f2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 09:02:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjbymzch5f66ukuuz6225clux2iibezrzoozbk22x5xr3donjhza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bc6c86dea21908ac6aef347496633f120db5c573a0455f03647c3399c606b59
AgentTesla
20da9061d97a613081f164a4ace352121755f24a0e0c717d2791e03579daff53
AgentTesla
5bbe20646d38c2bb4bc38650649633c5a78522a6ea2f09f04cb6be0f3075544e
AgentTesla
76bfbb524e921f7639ecbb2c7d40e072d5b45aa4b8521a45d82d85f96743afeb
AgentTesla
98aeacaea9d4c101bcc2ae23384f20e93620b3df41e4eca1676aa2bba92c4cbf
AgentTesla
abd985aa1bfe39c848147583e821f9a2b0c806db69900e96850a7a9d70dbb75d
AgentTesla
b4ec047f3f903dc0b392011101cdfb299b3b99377cb639b8b5d5a247f3917fee
AgentTesla
+ 18'947 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220628-l9mv7sgfhl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d
MD5 hash:
9b17d560e68eff0da30f79b3c391c9a3
SHA1 hash:
5ceda263b1ea13401f652c709dd884d58945fe57
Link:
https://www.unpac.me/results/73f3f0d4-c9b5-4f15-93e7-dbb223fe5b90/
SH256 hash:
6f0a5bc744d577aee6d58511174129e72d2aa615164e9ec6f6526ac6f015fafd
MD5 hash:
5c44669831cfa7f9a048717d7a97152a
SHA1 hash:
5b78f927a09ce66b8591a6424f05fb4560a225d8
Link:
https://www.unpac.me/results/73f3f0d4-c9b5-4f15-93e7-dbb223fe5b90/
SH256 hash:
1bcbe70ba53ffc2d51f844e67dedd6827d838e3895d65b203b8f1869249e03db
MD5 hash:
224f325bf0fef1ef14ee27fc5d5f35e5
SHA1 hash:
5b4142aa7417f24e791b09e273e5338c42b20188
Link:
https://www.unpac.me/results/73f3f0d4-c9b5-4f15-93e7-dbb223fe5b90/
SH256 hash:
9ded2a65b09fc27f92b5693764d6728d3e7ab9576ed97d913ca5895e50a45962
MD5 hash:
40a2817ee25aa7b07d37c62424dff9ff
SHA1 hash:
36f48038a3cb2e24f453108c59f19e489a01d9b2
Link:
https://www.unpac.me/results/73f3f0d4-c9b5-4f15-93e7-dbb223fe5b90/
SH256 hash:
bdd0215fba025fd887f662b73e6589c270d1f79603960ab0b3165dad5de60a63
MD5 hash:
f14460e9d0a44e0d7516a1c28d91cfa8
SHA1 hash:
101390b56de19b3027f422f236e48884a92303d8
Link:
https://www.unpac.me/results/73f3f0d4-c9b5-4f15-93e7-dbb223fe5b90/
SH256 hash:
ba43866447e97dea2a94cfb5ae8974be90809331cb9d90ab5abf6f1d8dcd49f2
MD5 hash:
dc48ca374b69315b5b781f074453d3b8
SHA1 hash:
cc9cdfe7ce44bd95ed74e11587e3f5b93d0d25b3
Link:
https://www.unpac.me/results/73f3f0d4-c9b5-4f15-93e7-dbb223fe5b90/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba43866447e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba43866447e97dea2a94cfb5ae8974be90809331cb9d90ab5abf6f1d8dcd49f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283873/

Comments