MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d73763f8b8d4eb91dec386eb7a2ebf9a8a9b40c6b028d57e6144ed74551d460b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash: d73763f8b8d4eb91dec386eb7a2ebf9a8a9b40c6b028d57e6144ed74551d460b
SHA3-384 hash: 6ac145700e895aa48cf4cbd515a19707a40a27a22b1f9dc0bbbc59722f58103fe655a68a19c1ec08c664f53df7cdb80f
SHA1 hash: 90d2762579dfd97d7b767662566f3a623766dd0a
MD5 hash: 189ad2733ba3c8baa0d9fb41e4223d92
humanhash: july-alabama-one-river
File name:Proforma Inv.exe
Download: download sample
Signature AgentTesla
File size:444'928 bytes
First seen:2022-04-07 15:18:13 UTC
Last seen:2022-04-08 05:49:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (29'903 x AgentTesla, 9'527 x Formbook, 4'667 x SnakeKeylogger)
ssdeep 12288:wJrxvRItNiL65tIekTAEr4xwWEL9KHHvxosMKnd:8fsiL65t7kT1rjhKHH5os
Threatray 16'400 similar samples on MalwareBazaar
TLSH T12694DFA05A162183D2906F72C0E3CCB03AE5B1DA9259F7DEBC84DB543FE5198C644BBD
Reporter @GovCERT_CH
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
5
# of downloads :
289
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Inv.exe
Verdict:
Malicious activity
Analysis date:
2022-04-07 15:33:29 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-04-07 15:19:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
SH256 hash:
fed45f38b80b8651d4a5a625cc6419bf152cf317238bd3cfeec09ab5a297bae8
MD5 hash:
87a4a234f6b4856ea0227446a3c26fca
SHA1 hash:
0ba174cc8c1b25c8f1efcbec8dd9f119b0d08a45
SH256 hash:
504b1a792027d63aac32f61e9c35acc14a05cdccd054444c7cb6a7afff96e0e9
MD5 hash:
a888b27e16ba6d022c8d8d37c3835481
SHA1 hash:
06e02e200bddd4f583ce813b3d9a7cf7a96dedf4
SH256 hash:
d73763f8b8d4eb91dec386eb7a2ebf9a8a9b40c6b028d57e6144ed74551d460b
MD5 hash:
189ad2733ba3c8baa0d9fb41e4223d92
SHA1 hash:
90d2762579dfd97d7b767662566f3a623766dd0a
Malware family:
AgentTesla
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d73763f8b8d4eb91dec386eb7a2ebf9a8a9b40c6b028d57e6144ed74551d460b

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment

Comments