MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59
SHA3-384 hash: d150e28b9c6c1171ba6f976d8cd790d2b88b9375b387ab1807ec72ad78195f0528a1e930f73a26b9f8e3c1b779215c97
SHA1 hash: 18d07cabe2d0de7e090c180a282b6422921e070b
MD5 hash: 476ecc9effd8ad177c15f642fa058682
humanhash: leopard-berlin-fifteen-november
File name:invoice no 214275.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:547'840 bytes
First seen:2023-09-14 16:07:36 UTC
Last seen:2023-09-14 16:08:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:dHj8FwLm/c2mVOO2QUFmBP4EqRvzXxOTWZRXb15R0rS2cCPDGjRBIVB:dHj8F6+uOODKv/ZB4k5bt2lSl2VB
TLSH T11FC42341215EA531C9ED873E42D50D9917B8C7E17A2BD72E8FCA531A2E83B120FD934B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 42e8ecf4f4ece468 (3 x AgentTesla, 1 x SnakeKeylogger, 1 x Formbook)
Reporter cocaman
Tags:AgentTesla exe INVOICE payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
invoice no 214275.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 16:10:12 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/870ca076-ec0e-42b4-bab5-a90b0a34ac2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448686/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15625.9586.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65032fe41a86bbaa1f837519/reports/94858515-777a-4cbf-8eb7-747af259fbee/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24fbb6cf-f75c-410c-8ee0-ff21b07f600f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308119
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308119 Sample: invoice_no_214275.pdf.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 8 other signatures 2->57 7 invoice_no_214275.pdf.exe 7 2->7         started        11 xGnOuRTg.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\xGnOuRTg.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpEAE6.tmp, XML 7->39 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 RegSvcs.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 23 RegSvcs.exe 11->23         started        25 schtasks.exe 11->25         started        27 RegSvcs.exe 11->27         started        signatures5 process6 dnsIp7 41 mail.expertsconsultgh.co 173.254.28.237, 49714, 49716, 587 UNIFIEDLAYER-AS-1US United States 13->41 43 api4.ipify.org 104.237.62.212, 443, 49713 WEBNXUS United States 13->43 45 api.ipify.org 13->45 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->67 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->69 71 May check the online IP address of the machine 13->71 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        47 173.231.16.77, 443, 49715 WEBNXUS United States 23->47 49 api.ipify.org 23->49 73 Tries to steal Mail credentials (via file / registry access) 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 35 conhost.exe 25->35         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 02:37:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bamwkq4arixrg3mdmkwlj2zo26273lsrvbveuvtetliadpv75mq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230914-tk7s3sfg54/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
0cc2d545cdbc9aca7ac5732fc2e1858bae1b8c575e67f0b4b8077610c5597806
MD5 hash:
604ba9fe5293c6b09155e9593e5fe8b4
SHA1 hash:
c9ca531c5c50091dcdeabea6af26643e897fe3f8
Link:
https://www.unpac.me/results/7b85f18d-a020-4d2a-9366-a122a612862b/
SH256 hash:
1d8c0e3e95e127d81b1a03e1cd0d1b03aca690538c6493072b91ec84aeea4191
MD5 hash:
3572ceb0fdf5bb3e7623c3c214495d4e
SHA1 hash:
a061bcd85a1a7bbc29840373c7bcdb9169ff2eb0
Link:
https://www.unpac.me/results/7b85f18d-a020-4d2a-9366-a122a612862b/
SH256 hash:
c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89
MD5 hash:
8560712e92050b126209625784bac522
SHA1 hash:
31ace913c80581487089a4ce88a03616cda905ed
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7b85f18d-a020-4d2a-9366-a122a612862b/
Parent samples :
d9c02f3e9cc894fd55747ee2c449c1c40c2906d9fe1134994593eb0e81589a30
28657acf0a25a10979f1f7df41780b42fbeef920272067f9345f7a6a4788f889
3b0760dbe7dc9ac6a2cf5971ddde67c51e57bc973995cf641de226409b537817
930ac5c7da662a0118aba6fa78aeadf706ed8b5ab98e03b94dbd04991dfd2b7d
c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89
f8105fdfa774017614ec9aa30084a2a6645456c05704896fc972dd5d0c99ec76
ec57c2de3349840ec8ac00000c964ba5c68cda5b954f6ea4ca3ced7098257286
ddf7770047bab26cd3cc7752df568dda1b03789739ed404e3c5143bf0abba51f
9edefc168186e3a7ea6785affc672f91cbe4f592d4b84c75435866f16eddc82b
4f14ea5723dc55b7fc4a76f7bc7f5a834a16f531d8d47342b9a64a79678d417b
bb5557412213a1e283b548c6cd1da5c5848610756cd98352e6a77bb7ae952839
208319e004a6786ea50aacc67797171f4f4356f232bbf2e99c91cdbbe48c7624
5ab2ba45e2190d5a88041adb9a7be32bebe71a846832bba6efde116531d087c2
f4f24561c696372a62370c947fdecb96cfa6162711718f79a2c2e07836b69c80
4c2cbc5a9ebf7ef6269d1b0533da551b9e1bd419d0e8626db602ea0f77ae8f08
600d4ce1088af7290d2e4096db034af9eca3431a7942073dc485788a538a0747
b5169b6fa30cff601e0f3473f0a95006767553560753831f4e7f365758011433
ad2a1e6ea8fb128c76cafb20b9eae42b641ba5bf8932ac1867a8e3c51889192a
00ec18a18e5816731a60f69bcbe7c9296ae4084e5e390e8b545d475e1a37c7d9
a9bfb74e882c289a3fcbdc104411229292d0127efacffda9beb22206f58630aa
d65ba38b65d9ef5515d49a13be05cbdc0094c25a6ae4823935bc6f838de759a7
fcd2ed1088d64779e16e5134652d8360212e613b75c6cd5929216cabe27cfeeb
e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59
0b675485123aef301b8f33a5ebca2b1dfb12c7bffcdc7331dc16615c9d6b0495
e108137aa0469b5a1affc9d86a92e9e844a9540d9082ca5511b67de114310f88
ac04f04d01ae5428a8017be37d7d1352ad3212852c259d1a0e2f775969ecc36c
768ad01a4a10350c639160a41fcb2e08e108cfeddb993cb2535bc1804fdd1a3c
ac4ba0aff57a411df5eabcec6b1ab5cff2ff47dcf578fdce74be6cd3405b626c
a92454653447052d1a4d2342adeae2ae74a0499868a6fbd7834773b47b368cb7
c7834a1e61260b87156453c5281e2dc6f922d6ffdced1cec6ad2c5507680fa17
66d429595734624fc9610dff9b019f6b1687865f7197094a6102ced753453f9d
b6ae3f27029900241bf6ecd397a0686061db57ce48df21098bc27d365fc3139f
b0f78bdc2bfc668fc39e8735344d5c6ca8f78290132b70734c76dbf436c41c44
52c04c41fc17f8f05d233e2b9403fcebc3ccb8fb1b4e7d776a9b7db78d4fa980
c94c3741876b0ec763fa759b91c10d941c12626e84ef0d43c6c64cec7959f4f8
38468ab187452cb5bb9572bfe5b111449b8daa66678cd67396f8d5ccaaa382a4
e774f64c2078e0b89fa7a65590044e70212823f02b0300636deff0ccb5a36971
d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1
cb7de7bc680acafc54395cc399b1a38c440424738270c4bbd005b4a13229fc39
cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/7b85f18d-a020-4d2a-9366-a122a612862b/
SH256 hash:
e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59
MD5 hash:
476ecc9effd8ad177c15f642fa058682
SHA1 hash:
18d07cabe2d0de7e090c180a282b6422921e070b
Link:
https://www.unpac.me/results/7b85f18d-a020-4d2a-9366-a122a612862b/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e840cb2a1c04/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d16fc0e0aa125950696064f1fb20bb379c314026ea8e640a2882c6dd4f351721

AgentTesla

Executable exe e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d16fc0e0aa125950696064f1fb20bb379c314026ea8e640a2882c6dd4f351721
  
Dropped by
SHA256 8d39b7c6c1483f3238f367e08403fbe71d045b4ca2d56d8742c48a672f8eaf83
Cape
Cape
https://www.capesandbox.com/analysis/448686/
  
Dropped by
MD5 31b18df63e4b5fd030a1ffa8750be98e
  
Dropped by
MD5 9378f26af2f583932f75b54c25869bcc

Comments