MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c
SHA3-384 hash: 4291ad33b93c4e83dba87acbb62599d418edd6103cc4fd65f374af306ed038314beab28c12044b7735513cc3b5f61aa8
SHA1 hash: 1e19f4171363d70c4a212344b55aee522c7d5e08
MD5 hash: 85c72af1b46041126954292323c5304d
humanhash: lactose-vegan-helium-orange
File name:PHIẾU THANH TOÁN.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:702'976 bytes
First seen:2024-12-10 06:02:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:kadY9shQgcpE8j9EDDcBBul1Z11vRrmeRZ4ktVUAVrWSf:HdhlUE8CDDcif7AeRZ4kDUEW
Threatray 284 similar samples on MalwareBazaar
TLSH T111E4F1A47B1DC513C5941B348EB1F6B9266C9E8DF912E2076EDC7FAFBC32A151C14282
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 30d4f068e9b0d430 (7 x Formbook, 5 x AgentTesla, 2 x VIPKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PHIẾU THANH TOÁN.exe
Verdict:
No threats detected
Analysis date:
2024-12-10 06:18:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/afa7cf12-b7b4-4cf8-9b12-0cecf81f0262

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.34.9441.19270.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6757d99b48182d1685576376
Tags:
fareit virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/faaaf600-d835-4127-a53e-254dcc5ba142
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1572127
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-12-09 03:12:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlgn7dv7nmiznxwau2g6jumrpmhshjpd6hxv25kwuw66tps6rzwa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
AgentTesla
12d47f62ed1f5d60193a3a3099873286365c15dc6bf9df17aa250e1f7660c36c
AgentTesla
550396bef4076d1d9819ab7bc40f61b6ecf0af88fc68869a5aabd0d88f084005
AgentTesla
7eaafbaab938950dd4391329f899ef84b9e37267433dc3ca88545e0304be2124
AgentTesla
8c9ecbc59525eb2696bc09eef4a3e15df74be78bf378594fb204349bc949edab
AgentTesla
error
AgentTesla
+ 274 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241210-gr1xwswjcw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66cfc186-ca84-41c9-91db-d95c1df089ef
Unpacked files
SH256 hash:
5fa112b1282724834c059da068d721cdb21719d4ebe1118fd1cc3e25f6b8bb09
MD5 hash:
36d9001b4b1d2757bc9fdf92f40947d3
SHA1 hash:
e5239a21502b4655bb8e94eca846b8f8e19f152a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d778a9e3-23f2-4b29-916f-01d7ed1e0a71/
SH256 hash:
8ed77aa4c0113978b8198b74194e62b9bfd0c61d86452abae38321d986d05022
MD5 hash:
b2d9afa11e8407408fd40978efb6a88e
SHA1 hash:
36f7f12bb5d4787f9e71ce1be8d0defd3bdc1827
Link:
https://www.unpac.me/results/d778a9e3-23f2-4b29-916f-01d7ed1e0a71/
SH256 hash:
baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c
MD5 hash:
85c72af1b46041126954292323c5304d
SHA1 hash:
1e19f4171363d70c4a212344b55aee522c7d5e08
Link:
https://www.unpac.me/results/d778a9e3-23f2-4b29-916f-01d7ed1e0a71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments