MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c
SHA3-384 hash: 53bd82413437b9f27829bec0f34f46ef5972d4aa6aff97ed694b0790bdb1c0511ff5a88c2e5086f06d75e6d517a8dea9
SHA1 hash: 36c7ef4b4fae68366eac2accff19f5f4c3db160f
MD5 hash: d278a490e80a88d1e50b566b9884d908
humanhash: ceiling-minnesota-mockingbird-mars
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:871'424 bytes
First seen:2023-06-15 18:34:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QpcvG73htU7/2eQ1x9ys3qURd3mtAxmauLuwY0q1gc7A8m9MA5AFRPI:QpgG1tCuei9qdtpDqgddGu
Threatray 5'454 similar samples on MalwareBazaar
TLSH T1C70512462504092BC27977F58F55A1F177FF5B9E7D26E3CB0C87B48AACE2F410A20A16
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0661697171716906 (9 x AgentTesla, 4 x Loki, 4 x Formbook)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 18:35:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bbf21ce3-014b-4d60-8e82-a075a1752e26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399287/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33938129.24521.3060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/648b59d8b346cfaa192f0f13/reports/d8b1d35e-d2ac-469f-8343-b40997ddb5db/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d88f60d4-df87-4f20-a52a-221c582e771a
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255524
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 05:32:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xozsnnt5xjdjheg6ommwrjriwgybxakc4d275ea24fg4zye3aga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
46ecdfebbc4147cb426f5db7c417f6f09ff07e214825c2b92c416579580ba345
AgentTesla
4eeedf302a790ebf73335c3bb2d579c9d03e4a13893aa7a9c98eeb2ca8a9576d
AgentTesla
6dfb7a6ea6312982a7aa2bd1247f6d27cd481c455abd98fe9548a47cb3d9102b
AgentTesla
74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02
AgentTesla
7c4d8756750ac99128b6467b57d9bf5f09fa790f239ae298ecb5e4764f90075a
AgentTesla
95d05f1cf422a2fbcf3207e4c6c047138525bcd7d30deb26060c269e88e1df39
AgentTesla
b11454a0c9137a7b39890ca3a5221fb602929a07f080f53a6c14e91989d853db
AgentTesla
c8a03bb2a34bef9c9adb1c61faa08c8b7d647c40be7b88029485e53335eb06b8
AgentTesla
cc921e0670b63842cf917e784f2a32d0419defe2447a15d0a3ec396cbcdc07af
AgentTesla
e41cb506e0425a4de13cb203e274701360c10d84f2cb6b4d59fdd0b3e7785579
AgentTesla
+ 5'444 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230615-w8brnaaf5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/67e0a810-c3df-4b84-a1a3-529c05dc9d5d/
SH256 hash:
6a2f5c7911ae5a344e841328c09e237291535766882f548d0d6e1334dd3f2781
MD5 hash:
d68d7c7d0c67d93068fef2f726278ce6
SHA1 hash:
9cc0883b14a10b2c1f77c41748606d7b5d8a65ae
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/67e0a810-c3df-4b84-a1a3-529c05dc9d5d/
Parent samples :
eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c
ab3230837e2bd9c05f2046d480cf1d789b97d1d06c545f1b39e1fb0dcfb1e1a2
fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d
076556ad465bb59f3c94c5bfc5432af05b8bb41f8cf65fe72f55b0f208c17aa9
SH256 hash:
2916a103a44b01dbab6a563fb2db469b5921e9444bf526368a772dac749e031c
MD5 hash:
126ea900bd5a9d197f82a77178b92bed
SHA1 hash:
5a01e386890ec2b7038b996196d1722d48c11996
Link:
https://www.unpac.me/results/67e0a810-c3df-4b84-a1a3-529c05dc9d5d/
SH256 hash:
13e9be0aba1cef3943954d2a204472356721075f8ecbfe565a476aec8346fdc6
MD5 hash:
4ce78b41df3f0bb4dff20793bcc9f78d
SHA1 hash:
4de22b09a356224b9916836ba2ee181d369d5f4f
Link:
https://www.unpac.me/results/67e0a810-c3df-4b84-a1a3-529c05dc9d5d/
SH256 hash:
518c3c2e035ec57f1d2cdb232129c40a56e089955623521977da811d80e31b51
MD5 hash:
e60c7330ee2906e0bba1bba7e6b693e7
SHA1 hash:
2cce7454737387fef7fa55f0867a65a2934795a7
Link:
https://www.unpac.me/results/67e0a810-c3df-4b84-a1a3-529c05dc9d5d/
SH256 hash:
eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c
MD5 hash:
d278a490e80a88d1e50b566b9884d908
SHA1 hash:
36c7ef4b4fae68366eac2accff19f5f4c3db160f
Link:
https://www.unpac.me/results/67e0a810-c3df-4b84-a1a3-529c05dc9d5d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eddd9935b3ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399287/

Comments