MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e22c3d1ab8ef88ee0a11c9d5decd9e2826bb702e3d4eab60f5143e039d36b99a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e22c3d1ab8ef88ee0a11c9d5decd9e2826bb702e3d4eab60f5143e039d36b99a
SHA3-384 hash: 40a86097bea7700c4baa8faabba712c6f9afda6bf77e8c52eae5a5d4ffd4ec55c490bdc6300f44e8a1a140ee12aab533
SHA1 hash: d70cb1c05d0cf36be6b3f3897eb3e79b03ff2a2f
MD5 hash: 4d3da705af8ff3bc0497564b55946078
humanhash: table-ohio-lithium-glucose
File name:INVOICE13453.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:716'288 bytes
First seen:2023-01-24 09:23:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:GuKQMtEwcU3gZ+GQzjkATGdskSotxxfJZ7sAw8RF6ashQb8COhJiRF3P3xwr:pV6AAgZbQzlGUotbHYARRQashQb0iRq
Threatray 24'700 similar samples on MalwareBazaar
TLSH T14DE4221033E84699D66883FB1653D2C113F23A36967AE33D4D94B6DB1C36BC19A10F9B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE13453.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 09:26:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6584168-4c67-433a-8009-30821fb411ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356327/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63cfa3b31c9cbf7d6251f9c8/reports/405023dc-c40f-4dc9-a8ad-d42de9a4bcec/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8012a13a-8648-46b1-b601-6c82e105491c
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157760
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e22c3d1ab8ef88ee0a11c9d5decd9e2826bb702e3d4eab60f5143e039d36b99a/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4iwd2gvy56eo4cqrzhk55tm6fatlw4bohvhkwyhvcq7ahhjwxgna._file
Verdict:
malicious
Similar samples:
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
52ab9f2e3878dd9fa61c7bbbdfff113485fb4c12f8af0fa28b938696d68e54bb
AgentTesla
6e90c85fbcfa669738f0d090ebe3f5dceb5b4796cd523c3f51cc956af3a20cdf
AgentTesla
77a9e6a12d18f811e2b4852add5a1a423202396a6d21285a4d6e6acd4d3f1a47
AgentTesla
7d142fc404d92deb83891ca5dacffbc9e9754797ed55b1562873a7b4c2c914b7
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
fc34aca4f3035bcc925c891cb0c14aa20ba17b60d2d4f397a0327ce77e4c19bd
AgentTesla
ffb64f4d42dd2de275cbf4ae7b334ffdd8920ff8fec95aca9900493472603d16
AgentTesla
+ 24'690 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230124-lc2cbsad49/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e8cc11d74aab2fbc05a839a83d9504b0686c0b4fe6b4ed8a24c0436bae14164c
MD5 hash:
33a258786c5dea22c3ad8d59d5a1b42f
SHA1 hash:
d0fad2a9c7d0ea58ddab27a3ca3121ffc49e9f3f
Link:
https://www.unpac.me/results/65d51657-b464-4121-b43d-461855fd975c/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/65d51657-b464-4121-b43d-461855fd975c/
SH256 hash:
86716a105ca440b4f0c81f5a568d19d343fe0b72efd32eb21bbb83a9e71d4268
MD5 hash:
35f8b9118ed8e4d9cbd4850573c95131
SHA1 hash:
808fbe89d918eb81bf539c284a660bdd4dd097ce
Link:
https://www.unpac.me/results/65d51657-b464-4121-b43d-461855fd975c/
SH256 hash:
d92b12844d7bf493e1f6a617b7daa7c2e845184103eaffa08fdaa7b814e497bd
MD5 hash:
f6397c733cb219c8038a42f22a0d41c4
SHA1 hash:
4a7fc4c4029c2ac68613a9b44e876e9aefb61683
Link:
https://www.unpac.me/results/65d51657-b464-4121-b43d-461855fd975c/
SH256 hash:
739e6e636978133011e71896106398a8bb187e057f02e1418e1219e0a4a3cbed
MD5 hash:
b162792582e79c1bd7ee7ed2bf74671c
SHA1 hash:
3132ef9f50c2daaa551512aa6e000a3784e34b5e
Link:
https://www.unpac.me/results/65d51657-b464-4121-b43d-461855fd975c/
SH256 hash:
e22c3d1ab8ef88ee0a11c9d5decd9e2826bb702e3d4eab60f5143e039d36b99a
MD5 hash:
4d3da705af8ff3bc0497564b55946078
SHA1 hash:
d70cb1c05d0cf36be6b3f3897eb3e79b03ff2a2f
Link:
https://www.unpac.me/results/65d51657-b464-4121-b43d-461855fd975c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e22c3d1ab8ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/e22c3d1ab8ef88ee0a11c9d5decd9e2826bb702e3d4eab60f5143e039d36b99a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356327/

Comments