MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac
SHA3-384 hash: c0c3abbaf4bebed3a24a4a570c4806f6d735214194314a0da77b27cb77c4fe033000815ee7b4931d028376fc31da16de
SHA1 hash: ae1f4836551ea2623826b7cffb1c72ba5039ba1d
MD5 hash: f9ff39b649a0344f18a2494fb44b8d6a
humanhash: zulu-fillet-king-video
File name:Invoice2.13.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:777'728 bytes
First seen:2023-02-16 15:33:36 UTC
Last seen:2023-02-16 17:30:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Oei+WyFr1s+nqNTnbtuHA+/EyVL/CclJ3AksCZ1XbLnb3OiN87wtxx5X3aCU8LPC:/js+nqNTnbtuHA+/EyVLR/AHGbXsEjPx
Threatray 20'752 similar samples on MalwareBazaar
TLSH T136F4822DD8761AD2C074FA7206A6D560FDDC40732743FB3CB9EA96CC1B510992A8BD39
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon ecf4969696d4d4dc (3 x NanoCore, 3 x AgentTesla, 1 x RemcosRAT)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice2.13.exe
Verdict:
Malicious activity
Analysis date:
2023-02-16 15:44:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e8981ea-7ea1-4f43-941b-4bb570983feb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/367282/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.25330.14548.21445.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ee4cf7c595c185cf534acd/reports/046d73b0-9a7d-454e-b96a-fd59d465d63f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/259dae1d-9554-4a48-9d0a-9917d3e27247
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1177289
Signature
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 810111 Sample: Invoice2.13.exe Startdate: 16/02/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Telegram RAT 2->57 59 6 other signatures 2->59 6 Invoice2.13.exe 3 2->6         started        10 Chrome.exe 3 2->10         started        12 Chrome.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\Invoice2.13.exe.log, ASCII 6->23 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->63 65 Contains functionality to register a low level keyboard hook 6->65 14 Invoice2.13.exe 17 10 6->14         started        67 Multi AV Scanner detection for dropped file 10->67 69 Machine Learning detection for dropped file 10->69 71 Injects a PE file into a foreign processes 10->71 19 Chrome.exe 14 7 10->19         started        21 Chrome.exe 7 12->21         started        signatures5 process6 dnsIp7 29 api4.ipify.org 64.185.227.155, 443, 49695, 49698 WEBNXUS United States 14->29 31 api.telegram.org 149.154.167.220, 443, 49696, 49697 TELEGRAMRU United Kingdom 14->31 33 api.ipify.org 14->33 25 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 14->25 dropped 27 C:\Users\user\...\Chrome.exe:Zone.Identifier, ASCII 14->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 35 192.168.2.1 unknown unknown 19->35 37 api.ipify.org 19->37 39 173.231.16.76, 443, 49699 WEBNXUS United States 21->39 41 api.ipify.org 21->41 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Installs a global keyboard hook 21->51 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-12 21:55:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zk4agcxnwtmaky3jrueruamlljb5qf5tdw7jg7k7e74ui4rm3gwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d
AgentTesla
348b029e61cf6f2e09cbf867cabe0f4bb9377b913acffeb8d9b264784a3828e1
AgentTesla
35d99c3fe4a44c77f9e2a9d90eeb0f9926be7a3830d7784108669414199704ac
AgentTesla
3a4b557b3dc52bc71b6b209feb4c5a5cea1b5872ba975863602507b45e1bccd8
AgentTesla
4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203
AgentTesla
8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d
AgentTesla
b0e6355e5c14052a080b4a3aaaf92072a1cc04c476d4bc1bcc44a7b6abf6c9d1
AgentTesla
edbe483f1204111a68f4942f898fcf1093ee26a4664bdea61a2b0f100cffb551
AgentTesla
f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6
AgentTesla
+ 20'742 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230216-szrvqshh5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5700247611:AAEzrViORjqkWwP325wS-O3Mi1nOD6uBZcM/
Unpacked files
SH256 hash:
3bffca411a2930b655f92a69a70006f2850ad9bad80148a8195a3499a85dd6d1
MD5 hash:
fba2629ade0db75b2574a9b8eb516014
SHA1 hash:
73ead67df60490408f9efdc9b166135fea15d700
Link:
https://www.unpac.me/results/fa80d60f-91b3-46e5-aa51-d976805e93bf/
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/fa80d60f-91b3-46e5-aa51-d976805e93bf/
SH256 hash:
02dcdcef911ba74dabaf0ea6347c2ecbc7098fb6e8244b237b52d81e62df9368
MD5 hash:
6d330cb6279b0f70a71c3957bf7d37ea
SHA1 hash:
23429b1da57f79482ae1498f5a50fdb381c41871
Link:
https://www.unpac.me/results/fa80d60f-91b3-46e5-aa51-d976805e93bf/
SH256 hash:
cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac
MD5 hash:
f9ff39b649a0344f18a2494fb44b8d6a
SHA1 hash:
ae1f4836551ea2623826b7cffb1c72ba5039ba1d
Link:
https://www.unpac.me/results/fa80d60f-91b3-46e5-aa51-d976805e93bf/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cab8030aedb4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/367282/

Comments