MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d199053ccdab23557f4536b2e8e1b46bf169b3f619fd8f4f7ede7617ee42d631. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d199053ccdab23557f4536b2e8e1b46bf169b3f619fd8f4f7ede7617ee42d631
SHA3-384 hash: 371b657c847767f196a81371d86e44170b3f7d21bb1a50f26b7b7f2ee8778d9f9ad1f9530b518a249f86f0dabd1ab750
SHA1 hash: 5e14c294c76598c60722f314c9dd453cdd0da716
MD5 hash: 118ebddefb6f9c6af832aa5879417d78
humanhash: idaho-item-wolfram-mike
File name:Invoice No. 309320.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:969'728 bytes
First seen:2021-06-08 05:40:35 UTC
Last seen:2021-06-08 07:12:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'613 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:K8J4ZvCuQMAgyVwkFXUk9lup3OvtqCRmWZUPUP6ZS+KuR/3zy1OrzhXDjl2azOAy:vmZ7yXUfRcEhRby0r9l3O+0j
Threatray 5'683 similar samples on MalwareBazaar
TLSH A525392439FA901AF173EEB95BE4B4A6DA6FBB733B07641E109103864723A41DDC153E
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
5
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice No. 309320.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-08 05:42:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/511872ff-7d0b-48a5-9494-89d75cb96242

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165124/
Detection(s):
SecuriteInfo.com.Trojan.Hosts.48580.7861.13795.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the hosts file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798474
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430870 Sample: Invoice No. 309320.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 8 other signatures 2->49 6 Invoice No. 309320.exe 3 2->6         started        9 kprUEGC.exe 3 2->9         started        12 kprUEGC.exe 2 2->12         started        process3 file4 25 C:\Users\user\...\Invoice No. 309320.exe.log, ASCII 6->25 dropped 14 Invoice No. 309320.exe 2 5 6->14         started        51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->51 53 Machine Learning detection for dropped file 9->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->55 19 kprUEGC.exe 2 9->19         started        21 kprUEGC.exe 12->21         started        23 kprUEGC.exe 12->23         started        signatures5 process6 dnsIp7 33 mail.framafilms.com 185.220.245.14, 49726, 587 SEEWEBWebhostingcolocationandcloudservicesIT Switzerland 14->33 27 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->27 dropped 29 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->29 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 4 other signatures 14->41 31 C:\Windows\System32\drivers\etc\hosts, ASCII 21->31 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d199053ccdab23557f4536b2e8e1b46bf169b3f619fd8f4f7ede7617ee42d631/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 05:41:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gmqkpgnvmrvk72fg2zorynunpywtm7wdh6y6t363z3bp3sc2yyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e43a9cb578534543e39c04879feed5a1d9af3f58ab4c60f306bbedcb2be1470
AgentTesla
23253ec8ed43b22967f06038e156f5cc113f9c7b33c0ed829bf138288366aaa3
AgentTesla
559ac8d4a0d12e54467002c83f33cf63f01158a729ff2143b68a5ec42b8535ad
AgentTesla
5876d94ff8e996ceec16ce9001dd240bededc1533a6a3649fa00de5f314779e2
AgentTesla
7b02e22073253967e128923d67d88b168e2924ef953e96e9d9abdfb4a57230e1
AgentTesla
996622ce157f045f7b52955268d0dcc0f312700a3898515405dc344967095a2a
AgentTesla
a84f11e95b767a018ebd535c055ce9dd39d0ab23bf563312092662cd8cedf00b
AgentTesla
f08ff724feb8fda8a6b1b3ed93aaa4b7e0b7350e900c346ace0fc5331bfe8a6a
AgentTesla
f0998181a413c33d7696007625fdaa39855e454ef248ca2f2368ff2618468271
AgentTesla
f6cb1d3d7f8d28a30f739557742cc8dcbb3589238352a8b2fde5800f212374d5
AgentTesla
+ 5'673 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210608-6ltzha4146/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/c1e2c370-8b38-4464-a07b-158587ff7ef3/
SH256 hash:
f435d92110168c7d8bddc87561e154931cf113c9ce41fc1a985838ec7cdaa192
MD5 hash:
f9e96724325821b78a381adb32d22c14
SHA1 hash:
bf5bc723a05d26b991ff76733f0acf0810871588
Link:
https://www.unpac.me/results/c1e2c370-8b38-4464-a07b-158587ff7ef3/
SH256 hash:
f16cfb4fe4f51477e7296b0f6cea65327bd378bf3d1f94b96e4037135905707f
MD5 hash:
c8781bfd6540ea80da28fdeafae8198d
SHA1 hash:
a297148e04719e86201ff00a412c939f10e2611f
Link:
https://www.unpac.me/results/c1e2c370-8b38-4464-a07b-158587ff7ef3/
SH256 hash:
d199053ccdab23557f4536b2e8e1b46bf169b3f619fd8f4f7ede7617ee42d631
MD5 hash:
118ebddefb6f9c6af832aa5879417d78
SHA1 hash:
5e14c294c76598c60722f314c9dd453cdd0da716
Link:
https://www.unpac.me/results/c1e2c370-8b38-4464-a07b-158587ff7ef3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d199053ccdab23557f4536b2e8e1b46bf169b3f619fd8f4f7ede7617ee42d631

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2d2c4e635a371703010f38a45110fb8b52fe50eb02d9469f8dac7686e7b2feb8

AgentTesla

Executable exe d199053ccdab23557f4536b2e8e1b46bf169b3f619fd8f4f7ede7617ee42d631

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2d2c4e635a371703010f38a45110fb8b52fe50eb02d9469f8dac7686e7b2feb8
Cape
Cape
https://www.capesandbox.com/analysis/165124/

Comments