MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee7ee027752ede7e243e117a0de94fc360422b669045df92a45633545a15cd94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee7ee027752ede7e243e117a0de94fc360422b669045df92a45633545a15cd94
SHA3-384 hash: c22ff94d039db05bcfb44896e97868458c1dfff8e126ba691d107d67005a072fdb973170a2608ac6aafbcd23f66e7e6e
SHA1 hash: ca6b7f38282600fe2c4c2bb8f43587f43acaaa50
MD5 hash: fd7550c697c91180af34e8566c0ee093
humanhash: paris-bluebird-winter-march
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:718'336 bytes
First seen:2021-09-13 12:16:47 UTC
Last seen:2021-09-13 13:24:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:PEqhgtCIV0KRveNK0pvFWBjgaEA8k4DbF53e0IUFLP96ZQG8:PFxOOvFu/y4
Threatray 9'778 similar samples on MalwareBazaar
TLSH T1C1E46B103D968275E47A5F7ECAB863D4E63E7D232F32A03D1B70328606B364D898D576
dhash icon 71f0f8ccccf0f071 (12 x AgentTesla, 4 x Formbook, 4 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2021-09-13 12:20:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7d8151d8-f9fe-4173-87b8-d4a1eb450fc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187456/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.8775.5900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617501419a5a1e91c5d1fc75/reports/953a2c58-9894-4390-aedc-848db3624987/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fabd6406-8eb4-4660-9f5a-02472e3a7d89
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849756
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee7ee027752ede7e243e117a0de94fc360422b669045df92a45633545a15cd94/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 09:29:45 UTC
AV detection:
7 of 43 (16.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5z7oaj3vf3ph4jb6cf5a32kpynqeek3gsbc57evekyzviwqvzwka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1818edd71e01521cba21b92633ee893d42b1b6ca5776a745795d78655dd33a8d
AgentTesla
306de789cb862dffc28d6f2b9c01d7a56559ce13be20311369b27030bbc5339f
AgentTesla
3fd3f37912e5aa23fceb3877d6ee43c8b102410d4fc90b147aab266972939b07
AgentTesla
44d0a445832c1151f0378000985a6c4c0d36528a79ea775824d42815c62fd7fc
AgentTesla
67115e6158519fe2fff92209681162667a0caab50be21cf6ac673b8b827414c7
AgentTesla
8f47a284801f2fea4d4024b2f9b222e4b58538ce71a16c4bba876fd92d9e4095
AgentTesla
9c5fdee6a2c3000cd5824dc794bc51678cf496f098c8e51e3952dd6da8d13128
AgentTesla
9c7002e97c59c4c190abb09e373a5f1010b4790dbcb714e792538e73820d5609
AgentTesla
e0a8adea8bed9b577236dd14614279f055d88b6e485cbc8383794e319ffa9753
AgentTesla
f37967416a4017364443ec1357132fa6416e34c93c174aff8f0aed138deee0b9
AgentTesla
+ 9'768 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210913-pf2n2sdfd7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
231bff283690c7feac02845286bad8f2156b7659d207bea969389ca9bfabe814
MD5 hash:
fb727a87b44b0b1813e63c8380d9d4ca
SHA1 hash:
f21d18fe018880576249d6a75fb4fbc994ae4125
Link:
https://www.unpac.me/results/65cc0251-8572-4a1f-ae20-79b3e70415cb/
SH256 hash:
46bb3047b9b0ec013c88704dc0b133096aa104e6bc4cc52bcf4cab14a06ed2ac
MD5 hash:
1a122e4d9bde54ded4778c3729577bcc
SHA1 hash:
a06fa2672a4cc7f363d72ea7aac509feab19755f
Link:
https://www.unpac.me/results/65cc0251-8572-4a1f-ae20-79b3e70415cb/
SH256 hash:
31cd64a38ac96a6e40cbdd52e291130a7bee6438747102b749800e9e611ed01e
MD5 hash:
9cd68ab0f64920a64a489af6ec918c6e
SHA1 hash:
1f81d52368937caa67bcf556647d57a796b7ffb4
Link:
https://www.unpac.me/results/65cc0251-8572-4a1f-ae20-79b3e70415cb/
SH256 hash:
ee7ee027752ede7e243e117a0de94fc360422b669045df92a45633545a15cd94
MD5 hash:
fd7550c697c91180af34e8566c0ee093
SHA1 hash:
ca6b7f38282600fe2c4c2bb8f43587f43acaaa50
Link:
https://www.unpac.me/results/65cc0251-8572-4a1f-ae20-79b3e70415cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee7ee027752ede7e243e117a0de94fc360422b669045df92a45633545a15cd94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ee7ee027752ede7e243e117a0de94fc360422b669045df92a45633545a15cd94

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/187456/

Comments