MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
SHA3-384 hash: 8bfdddf3fa01eb77424a50ba6f3b1af1e55f67057e1a830145e229b145445a897b241f88331680f3f54b6d1ba628bad4
SHA1 hash: eacb1f0b710b649cca09caee811940c23a5e5318
MD5 hash: 1064aa38f07a52d59faa3a4131e8ce87
humanhash: alaska-arizona-happy-bluebird
File name:Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:676'352 bytes
First seen:2023-09-11 10:16:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Z5fVsbR242673PWTmc1V+yWe9OU9yGG7/pNJ7Uhto:ZtO242AYVV+yWXPr7xNhUht
Threatray 1'297 similar samples on MalwareBazaar
TLSH T1BDE4E0F85466CBE2D7B493FF61AB95749D277C91207582CE737C38844EAAAC31852C32
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-09-11 10:16:53 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/cf1ea4c0-2b03-4138-bf8f-ac008dce29d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447902/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.DownLoaderNET.710.25820.23089.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64fee91f86964ed9c619ad46/reports/9873d6fa-f398-49e1-95be-e5f21bd9530b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d543b7e-550e-44a8-90fb-6beb2a8a5ace
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307211
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1307211 Sample: Invoice.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 49 mail.suncil-intenational.com 2->49 63 Found malware configuration 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 7 other signatures 2->69 8 Invoice.exe 7 2->8         started        12 FkSAmvNAPc.exe 5 2->12         started        14 yPPclX.exe 2->14         started        16 yPPclX.exe 2->16         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\FkSAmvNAPc.exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmpC2EF.tmp, XML 8->47 dropped 85 Uses schtasks.exe or at.exe to add and modify task schedules 8->85 87 Adds a directory exclusion to Windows Defender 8->87 18 RegSvcs.exe 17 4 8->18         started        23 powershell.exe 19 8->23         started        25 schtasks.exe 1 8->25         started        89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 27 RegSvcs.exe 12->27         started        29 schtasks.exe 12->29         started        31 RegSvcs.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 51 mail.suncil-intenational.com 18->51 53 api4.ipify.org 104.237.62.212, 443, 49724 WEBNXUS United States 18->53 55 api.ipify.org 18->55 43 C:\Users\user\AppData\Roaming\...\yPPclX.exe, PE32 18->43 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->73 75 May check the online IP address of the machine 18->75 77 Installs a global keyboard hook 18->77 37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        57 mail.suncil-intenational.com 27->57 59 64.185.227.156, 443, 49725 WEBNXUS United States 27->59 61 api.ipify.org 27->61 79 Tries to steal Mail credentials (via file / registry access) 27->79 81 Tries to harvest and steal browser information (history, passwords, etc) 27->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->83 41 conhost.exe 29->41         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 09:46:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36so3f2mdmdvecm4nv3fwoeln3bii7byh6qrluaapeptjqlvvjkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00f9a0e9d500d85a1a380a015b722b67947a10b7bc22ad583b60a249f82a74db
AgentTesla
053c8aaa925b54a2410ff1f41f6f06bedf4f6d61067e27a8ad6cda39c91e52fb
AgentTesla
5f348fe41915ae5089634894d32316469efc21b5cc6e85a0f100aa70cd2f3474
AgentTesla
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
AgentTesla
8418ebee87a14a2ecbf14dcab28b5b311efee6d4a66cf95ff6c748e35320485a
AgentTesla
a350436c4c1b84c822cc9e34b556e10ff3b187f33b38448b3391f8d31623d2cb
AgentTesla
b9c74c6cf3df328ddeee396c2602a7d93a6fa4f8fc3f1e67e41d91e290592e4e
AgentTesla
ef64bf88be50dcedfb18bb1310109a48940ef5e434e3c83b63a7fa6b2a78fe00
AgentTesla
f8ed4bb623e64e25ffa201ed4d490789e6707b8dce4ebc99ca181aefc9c08ebf
AgentTesla
+ 1'287 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230911-mavmfafc2t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
32c8589b272f5e76459442108d1f8aba881414fbe91f638723345556757608f1
MD5 hash:
b2e93d4a9e64d1d8e2a032c914c1bdac
SHA1 hash:
e40c5316797d0487aeda3aa33bdd516758f8c7f3
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/83aaaa3f-7463-4099-b118-eb4dc8d0ad59/
Parent samples :
601ca85fa385ee74827fc023fc91c88964e8bc7dd8724305cddf1e089c7d372a
6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52
118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e
8418ebee87a14a2ecbf14dcab28b5b311efee6d4a66cf95ff6c748e35320485a
dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
SH256 hash:
43d64bdb904fdeb25f25928bb68dbd93a6304b50147b435c2e6446f1176b9b44
MD5 hash:
68fb0c7a8cda3cfc2fb6ef8eccb83f04
SHA1 hash:
22c0951f010c60a4a70e0d949818b7b88593e36f
Link:
https://www.unpac.me/results/83aaaa3f-7463-4099-b118-eb4dc8d0ad59/
SH256 hash:
e40a0f0c09860199cfb2bf25501365a360e625bfef8ccd22e821439b52b2fdbf
MD5 hash:
ce17da48a2fd30478068ef305cd9cfcb
SHA1 hash:
19f03ff226e44014846155583bdd670152505b9a
Link:
https://www.unpac.me/results/83aaaa3f-7463-4099-b118-eb4dc8d0ad59/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/83aaaa3f-7463-4099-b118-eb4dc8d0ad59/
Parent samples :
cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688
SH256 hash:
dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
MD5 hash:
1064aa38f07a52d59faa3a4131e8ce87
SHA1 hash:
eacb1f0b710b649cca09caee811940c23a5e5318
Link:
https://www.unpac.me/results/83aaaa3f-7463-4099-b118-eb4dc8d0ad59/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dfa4ed974c1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar a5de04d4675515879727c01c0238d7f1a887057f71632eb5095a412ffc92561b

AgentTesla

Executable exe dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a5de04d4675515879727c01c0238d7f1a887057f71632eb5095a412ffc92561b
Cape
Cape
https://www.capesandbox.com/analysis/447902/
  
Dropped by
MD5 37f38da5ff590566dfd19af906271720

Comments