MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0
SHA3-384 hash: dc8e6e2d26187a7ef6307221cbfd02e468122859d10f22801047e78f2fadbb31b3d0f1534f1661d3c6081ec4c36f6ea7
SHA1 hash: d5ae4208fe0f8de0def874148de4bd6c6b3b0ac0
MD5 hash: 98bb403612f7b703221cf8ff8024a2f5
humanhash: purple-lemon-illinois-happy
File name:Overdue OA payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:777'216 bytes
First seen:2023-08-15 07:28:22 UTC
Last seen:2023-08-15 08:33:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:4qq8jW8aZZQ4UZ+9DHIowluNPuQtCBipQLpvmUMykv0V56/qUVQ0p+1j2lj5:1qCW874C+9Doowludhty5CykvA56/qK9
Threatray 1'315 similar samples on MalwareBazaar
TLSH T186F423B134BDF734CE9B1A77185261445370DF53AADDFB6BACE4304298D3309A4A292E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 5ab9f8e4f8999ab8 (5 x Loki, 5 x AgentTesla, 3 x Formbook)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Overdue OA payment.exe
Verdict:
Malicious activity
Analysis date:
2023-08-15 07:31:12 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/3415fcf9-bca6-4ea9-a5b9-dd99b2f1adf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442736/
Detection(s):
Sanesecurity.Rogue.0hr.20230803-1434.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/22d5bdc2-06eb-446f-a072-3b4fc8c0aa3b
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291289
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-08-03 08:43:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h6lpul4ti5sfde25f2nl3chqijmo7vrp5fl74tmiahzfxccu3ia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
39c3188d01340e7dde2d297ac10dca13ec5fb3299ac57c2259dd81007660206f
AgentTesla
547cd0ab1f4369a1f7e6477acf6a1440ff44ed8f8839a77a0317cb96f7dd088b
AgentTesla
5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1
AgentTesla
9650d6c845801163fdfb37c0197340331f74cc389c520baa850c0b6cd66ab70e
AgentTesla
9d16f030796c701a2fc2481bf376df82914d34581547795b81154e3f249f1549
AgentTesla
b1939d6e95225c8c014d21e3d3ec6867cefc6fd9f72c3568be32193eca8982e1
AgentTesla
b9e6488c93fae6e4ad6d346070252c97799fa2a32dd6d850d18e05446ec6968c
AgentTesla
d69a6884ce826abeff346e7439fe7b96ba2303ed471f392ab8f98e71735383ec
AgentTesla
df9601c2abefafaf4da2b6b95d6beb6a8f59d62e527cb803879f49e12bc6a798
AgentTesla
+ 1'305 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230815-ja8yaabd81/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage?chat_id=1909112828
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/256e6f88-dfae-44cd-84d5-82e80fc97481/
SH256 hash:
321ef9f3eec156c17704596955128e2d79d3020b0238f5d7722117f1f6db171b
MD5 hash:
b65644a68beff63d16313b6db97ee97f
SHA1 hash:
95c88ba3941d7599ef2a1d2ab86fd1952ec9bbc0
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/256e6f88-dfae-44cd-84d5-82e80fc97481/
SH256 hash:
49145ed861b412bc015ff0800969052756deea17d5c6285da8f5937c0efdad46
MD5 hash:
0ef5168d36eee9ca0bcefcd84b907b70
SHA1 hash:
b40debea28d99750fe9b6a2b7d243eb35549aed5
Link:
https://www.unpac.me/results/256e6f88-dfae-44cd-84d5-82e80fc97481/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/256e6f88-dfae-44cd-84d5-82e80fc97481/
SH256 hash:
8371489f68ceb485db4addeaecdbb45e7aa3b1ce9184e8eb73b4785ddff14303
MD5 hash:
8965cd05db583776aca5a81d4ce75e6d
SHA1 hash:
5cd66b599003b82c65e194f180f7fd8e94daebc5
Link:
https://www.unpac.me/results/256e6f88-dfae-44cd-84d5-82e80fc97481/
SH256 hash:
d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0
MD5 hash:
98bb403612f7b703221cf8ff8024a2f5
SHA1 hash:
d5ae4208fe0f8de0def874148de4bd6c6b3b0ac0
Link:
https://www.unpac.me/results/256e6f88-dfae-44cd-84d5-82e80fc97481/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 43ac3a21c7bfe1b8e7f7a1761d493993d432dc8dfab0cea684730944c06d0d7e

AgentTesla

Executable exe d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 43ac3a21c7bfe1b8e7f7a1761d493993d432dc8dfab0cea684730944c06d0d7e
Cape
Cape
https://www.capesandbox.com/analysis/442736/
  
Dropped by
MD5 324d206783a13d934c746434dd9fda58

Comments