MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9
SHA3-384 hash: 83b0de17b89eaaf70a753e3fd4d93e6219fef92f192859fc9c9bc6d64d18dd259396502bb5416cc043d46f44e5309c2c
SHA1 hash: 23b01d8ad2bdbdf041ece51fd1f3bdb0c3f8d947
MD5 hash: 384cd2634f56d5d5de84d44be4d61f5b
humanhash: video-eight-twelve-failed
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:589'312 bytes
First seen:2023-07-05 06:14:08 UTC
Last seen:2023-07-05 13:57:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:UmSTHk6Eyl7FZaOLFdUFsBW6hlzsbKbZXL+2RR:CHk8ZaA+srzs0/T
Threatray 741 similar samples on MalwareBazaar
TLSH T14EC4593C1CBC5E23C071C6B68FA5C461F558C5EB32A28F3667C79A95461E90229CBE3D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2023-07-05 06:15:21 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/6a757d8e-df83-4939-bf2b-281abd0bfa07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/407374/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67959125.29955.23381.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64a50a691aae5c95e186a344/reports/b9af2b97-1afe-46c8-970e-12b63f9bfcb4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/851e7277-729d-4191-8857-48532d15fe42
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266971
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266971 Sample: INVOICE.exe Startdate: 05/07/2023 Architecture: WINDOWS Score: 100 53 Antivirus / Scanner detection for submitted sample 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 5 other signatures 2->59 7 INVOICE.exe 7 2->7         started        11 IsHxYYhYoKf.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\IsHxYYhYoKf.exe, PE32 7->35 dropped 37 C:\Users\...\IsHxYYhYoKf.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpC7B2.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\...\INVOICE.exe.log, ASCII 7->41 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Writes to foreign memory regions 7->63 65 Allocates memory in foreign processes 7->65 73 2 other signatures 7->73 13 RegSvcs.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        67 Antivirus detection for dropped file 11->67 69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 23 RegSvcs.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 mail.vpindustries.co.in 103.53.42.223, 49720, 49724, 587 PUBLIC-DOMAIN-REGISTRYUS India 13->43 45 api4.ipify.org 64.185.227.156, 443, 49719 WEBNXUS United States 13->45 47 api.ipify.org 13->47 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->75 77 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->77 79 May check the online IP address of the machine 13->79 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        49 173.231.16.76, 443, 49723 WEBNXUS United States 23->49 51 api.ipify.org 23->51 81 Tries to steal Mail credentials (via file / registry access) 23->81 83 Tries to harvest and steal browser information (history, passwords, etc) 23->83 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 06:56:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23exptwmntodjnhgyy3dfdrmbflryjsr4n4hspg4glgyavblkteq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03659d0acded7fe7db7daf0c7179d37e20cf38c5db6d5f2942bdcc2236cd497f
AgentTesla
0aea55a753fc5e090556cab151517684fc4526f2fdf65523abea2853ad11ba3c
AgentTesla
6016b69e0267c1d95bdc8d1b685bedd1c0bef182fd197e3ee6f1753b8ba59eea
AgentTesla
7a4d39a7259028f1b42a0eff7414a273057dc2b880108d3152c5b20e02c6a407
AgentTesla
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
AgentTesla
c70291d066509c793d856441dcc58925289bbd828b069cf6a656cbc67d157465
AgentTesla
d60d94a1edcdab800f81abe6f72248469547a1b55f89cd872acda4cc6d7dee61
AgentTesla
d9ad2df08f75b265cb1865f6f3ba322488b69ab7fa1ce94ca509b27ec1c10129
AgentTesla
e81901a970e6242560a0a44bc37bfa54a19174920f1f1ea032aeecc2008f2884
AgentTesla
f4d6855474eaf9cf34a5f7b168b05bf88f174935f57104378d3bc5ac0db64430
AgentTesla
+ 731 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230705-gzw9nscc5v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
3b838263d0f4476158ab25ceae765c14f1f0b1b32bf4f26869155e48c8590e75
MD5 hash:
310ff8cb145679b1bdb450a2634eb65d
SHA1 hash:
3c1074c1aabd2e8f1118e194cebb0133a7b31f01
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
9e8956ad03a20cabde40e1ab55cafd0439c2afdb4918c66bfcefb5b404213764
MD5 hash:
5e81fb93e0c9c26b2f59195af9dba7dc
SHA1 hash:
1c93fc90385e066d4580b7685842970ec9f686bb
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
Parent samples :
d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9
aeca0f43e2dcfd7b0b8c07682087952421baea175897a351d58adf0e37ccce40
72377a1023075ac814e170afb8a15d720f6f62f26311ad910c91ead8f4459cc5
6461077970b9463db60faad97819790772c4b8cf94cc068d6a6524f5b7fc28de
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
3b838263d0f4476158ab25ceae765c14f1f0b1b32bf4f26869155e48c8590e75
MD5 hash:
310ff8cb145679b1bdb450a2634eb65d
SHA1 hash:
3c1074c1aabd2e8f1118e194cebb0133a7b31f01
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
9e8956ad03a20cabde40e1ab55cafd0439c2afdb4918c66bfcefb5b404213764
MD5 hash:
5e81fb93e0c9c26b2f59195af9dba7dc
SHA1 hash:
1c93fc90385e066d4580b7685842970ec9f686bb
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
Parent samples :
d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9
aeca0f43e2dcfd7b0b8c07682087952421baea175897a351d58adf0e37ccce40
72377a1023075ac814e170afb8a15d720f6f62f26311ad910c91ead8f4459cc5
6461077970b9463db60faad97819790772c4b8cf94cc068d6a6524f5b7fc28de
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
3b838263d0f4476158ab25ceae765c14f1f0b1b32bf4f26869155e48c8590e75
MD5 hash:
310ff8cb145679b1bdb450a2634eb65d
SHA1 hash:
3c1074c1aabd2e8f1118e194cebb0133a7b31f01
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
3b838263d0f4476158ab25ceae765c14f1f0b1b32bf4f26869155e48c8590e75
MD5 hash:
310ff8cb145679b1bdb450a2634eb65d
SHA1 hash:
3c1074c1aabd2e8f1118e194cebb0133a7b31f01
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
9e8956ad03a20cabde40e1ab55cafd0439c2afdb4918c66bfcefb5b404213764
MD5 hash:
5e81fb93e0c9c26b2f59195af9dba7dc
SHA1 hash:
1c93fc90385e066d4580b7685842970ec9f686bb
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
Parent samples :
d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9
aeca0f43e2dcfd7b0b8c07682087952421baea175897a351d58adf0e37ccce40
72377a1023075ac814e170afb8a15d720f6f62f26311ad910c91ead8f4459cc5
6461077970b9463db60faad97819790772c4b8cf94cc068d6a6524f5b7fc28de
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
SH256 hash:
9e8956ad03a20cabde40e1ab55cafd0439c2afdb4918c66bfcefb5b404213764
MD5 hash:
5e81fb93e0c9c26b2f59195af9dba7dc
SHA1 hash:
1c93fc90385e066d4580b7685842970ec9f686bb
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
Parent samples :
d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9
aeca0f43e2dcfd7b0b8c07682087952421baea175897a351d58adf0e37ccce40
72377a1023075ac814e170afb8a15d720f6f62f26311ad910c91ead8f4459cc5
6461077970b9463db60faad97819790772c4b8cf94cc068d6a6524f5b7fc28de
SH256 hash:
d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9
MD5 hash:
384cd2634f56d5d5de84d44be4d61f5b
SHA1 hash:
23b01d8ad2bdbdf041ece51fd1f3bdb0c3f8d947
Link:
https://www.unpac.me/results/3defef68-49ac-42ec-b44d-e30825756664/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6c977cecc6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 2884661f75f8712fa63b4c04058d1997981aa50bf18c37031d84946602160149

AgentTesla

Executable exe d6c977cecc6cdc34b4e6c636328e2c09571c2651e378793cdc32cd80542b54c9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2884661f75f8712fa63b4c04058d1997981aa50bf18c37031d84946602160149
Cape
Cape
https://www.capesandbox.com/analysis/407374/
  
Dropped by
MD5 f3174838a9deaa7970df3b6d66c664f8

Comments