MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664
SHA3-384 hash: f594434f8a4dde734fbc744d2f7c0f7e353a31689b733f39ac4ec68a3cfe8476cff0b59353e818d843b71b55fcfed1d9
SHA1 hash: 9872c5ca7e66081a8a76e57cf319b78d53a75a07
MD5 hash: e2f79b46c996e887810538e354995a93
humanhash: summer-network-two-double
File name:Invoice Confirmation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:689'664 bytes
First seen:2023-08-20 10:02:22 UTC
Last seen:2023-08-20 10:46:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:P2KMxm/gPrkroUmEGSh4B9BoTEGvp5UOrnz0cJVJx74gSDRSMNdrlNXQy/ja:Pt1wrkrnj09BolDrzLhx74gSwMNdXXQs
Threatray 989 similar samples on MalwareBazaar
TLSH T1B8E42253701C4FB6F9BCEBB6A421430257F3B68E4472F60F4E8511C96A56F022A4FA76
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2a4d1796334d4d33 (3 x AgentTesla, 1 x SnakeKeylogger, 1 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice Confirmation.exe
Verdict:
Malicious activity
Analysis date:
2023-08-20 10:08:08 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/c0807fee-0fc3-4e1e-9b19-7117ea00cfeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443745/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Moving of the original file
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/508d3cc6-f3d7-4a4d-ac34-0d1aad631eef
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292867
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-17 16:14:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yufszqvqpirb5mmnbyizkted4aciljg2pn3ssprnzdo4vyuhyzsa._file
Verdict:
malicious
Similar samples:
156305fe33e5c9944f7de74cf2c94fa9ce976163c128019e5ffd761351368a09
AgentTesla
2484791ea3c160c3de266ebd831f707da64d5e5f31ed81270bf18947128d0933
AgentTesla
4c15743287e80d5077f5bbd94c767bc734f1392abc330bb25d447b535efdae24
AgentTesla
88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537
AgentTesla
916c26e1e43c03fb2faff6fe47a65492f0966ea0b5ae7ba4fd864af05f1e6ee8
AgentTesla
a5301092e1f1fc43f920e0901771c2fe86a781d1821349b4aedc98efd9fea546
AgentTesla
bf057fe8bcc9d25c24b876efce0dccf29a5fdbfac6eead9f84665d40d4d7a2a9
AgentTesla
c55bc8db8e2e82ba94d54b7e372cd2063608519f29815af447bacba01f4c33fd
AgentTesla
e4f1164364a86e7ae9293f9df8d976c8037e6701c7fb7103182186c2f5cd4968
AgentTesla
+ 979 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230820-l3crnaga3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/a191e8b1-f16b-405e-8180-29ed0c35c2b0/
SH256 hash:
1ae78faac20f6c56b6b1dd3ee1d27823fd602e4c2daa3a056c715d9554acd124
MD5 hash:
02ba0013818037baed5c1b8b48f2ae75
SHA1 hash:
6514b1efdd0869c4ee14e1ea1b23c81a10a98586
Link:
https://www.unpac.me/results/a191e8b1-f16b-405e-8180-29ed0c35c2b0/
SH256 hash:
9c4081a46efd752549d04f78abfd8fd0d328d8f6ab8f3f1f88ae2f03facce561
MD5 hash:
119bc83a88c77a9ca105491a59d8fd19
SHA1 hash:
61db107ccf68a4f0fe499641163d552199eb7cb8
Link:
https://www.unpac.me/results/a191e8b1-f16b-405e-8180-29ed0c35c2b0/
SH256 hash:
aa3670a577d4c6a9de6032190f2e147ca39d1a7b7cdaeba6b29205da945ba9f5
MD5 hash:
b2ba69c87d0423b3ea3e23e0784e8dbd
SHA1 hash:
0131a3bdd22a942b42310e1f9bfcba786d077959
Link:
https://www.unpac.me/results/a191e8b1-f16b-405e-8180-29ed0c35c2b0/
SH256 hash:
c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664
MD5 hash:
e2f79b46c996e887810538e354995a93
SHA1 hash:
9872c5ca7e66081a8a76e57cf319b78d53a75a07
Link:
https://www.unpac.me/results/a191e8b1-f16b-405e-8180-29ed0c35c2b0/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c50b2cc2b07a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443745/

Comments