MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead
SHA3-384 hash:	0721c9f345f81b014a180eaf8e25ec85374584c019a8308abb55444dd0c99a6fc294ca81aa30f17094852ec75f8dd305
SHA1 hash:	b843f0fde8f544cde99e7e408c8562bc86f4a2cc
MD5 hash:	93a41bdf1e19321e51965918a1339b08
humanhash:	artist-magnesium-carpet-failed
File name:	PAYMENT INSTRUCTIONS COPY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	791'040 bytes
First seen:	2023-02-21 09:53:14 UTC
Last seen:	2023-02-21 14:23:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:bHTsIBMNjnNNOhAe/S0fj1FSQNyTihwGQBI:bzIihwGQB
Threatray	3'006 similar samples on MalwareBazaar
TLSH	T14FF4053D39B796D2C239FA3386D7E130B6BD80923303D95999D61AC04F426827DCEA5D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe payment

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PAYMENT INSTRUCTIONS COPY.exe

Verdict:

Malicious activity

Analysis date:

2023-02-21 09:54:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/64d52784-d570-4cbd-aecf-c5908369e419

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368582/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.19116.10262.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f494bde6a5b4588ca11f99/reports/6c29a61e-f968-4a8b-a6c1-ad30d5886d0e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc9434bf-7944-409e-8bf0-0b16b4de0baf

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1179641

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead/

Threat name:

Win32.Trojan.Injuke

Status:

Malicious

First seen:

2023-02-21 09:53:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 22 (86.36%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xp33rqgdkqqyr6niwywnhqewzzb5su3lrjrvynimtylof3tkb2wq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48

AgentTesla

72e713d25be6feb7c88cddfd471d9836371bd44cac7199cc1c44838e6946b807

AgentTesla

d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

AgentTesla

ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161

AgentTesla

e60df4c4e0c5fd9cb3bc3863d6ca5e668f44120187dd66fa0239c0741653e5e7

AgentTesla

+ 2'996 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230221-lw7y8aed26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

c68b56db145c1cf099c98315e3bb1a221bfd232eb3fc4b71066bb92de6a9ff8e

MD5 hash:

9fdeb70414f53e82e470f551c6cd6084

SHA1 hash:

a5d6903ec20398721505518ddcc9bf6a4708a3a2

Link:

https://www.unpac.me/results/3375f3eb-e996-4c4c-8eea-a03c45d9ae11/

SH256 hash:

452677f7538cdad7eae21f72f500cc0fa48d6fef66e22176612ea26ef4813cdd

MD5 hash:

8bcebae63e79b193a35982314d8c3dbb

SHA1 hash:

7a45432f9b4329dd82dd31389631eb9b907c8e31

Link:

https://www.unpac.me/results/3375f3eb-e996-4c4c-8eea-a03c45d9ae11/

SH256 hash:

94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129

MD5 hash:

874dcc6be499121b1425bfdff1f8ad46

SHA1 hash:

66f83bedc73876b77e152c604b8214bde86d965e

Link:

https://www.unpac.me/results/3375f3eb-e996-4c4c-8eea-a03c45d9ae11/

SH256 hash:

bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead

MD5 hash:

93a41bdf1e19321e51965918a1339b08

SHA1 hash:

b843f0fde8f544cde99e7e408c8562bc86f4a2cc

Link:

https://www.unpac.me/results/3375f3eb-e996-4c4c-8eea-a03c45d9ae11/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bbf7b8c0c354/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.