MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0403401376903590e76fc9ee1e0e51d0fe67731af837e419932413bac37254f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0403401376903590e76fc9ee1e0e51d0fe67731af837e419932413bac37254f
SHA3-384 hash: e91dace7364059bdc551b75892518e70bfc8da59b17ce94375d8b3b9528caf061f30fe80900165f3ff99df2f53da72a0
SHA1 hash: ba09dbaec570dae8e8e6d7609f2fc6ee9a434b8f
MD5 hash: ef8b7aaf254cd44a3e6500441ab2eb91
humanhash: maine-twenty-romeo-cardinal
File name:Shipping Document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:13'312 bytes
First seen:2023-02-09 10:22:03 UTC
Last seen:2023-02-09 14:13:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:kYVYVMI6/FfYIbE3k4TQXzZKAw6wzbaZv:rYVt6/2IZtz/w6SbSv
Threatray 1'095 similar samples on MalwareBazaar
TLSH T1D6523B2063EC6523F8BE5FB98CFA5100477CB6E3BC22DB6E15C951DEA9823414591B37
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Document.exe
Verdict:
Malicious activity
Analysis date:
2023-02-09 10:22:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be114463-5f44-47ef-8aae-fab2b5d0c2b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/362684/
Detection(s):
SecuriteInfo.com.Variant.Ser.Cerbu.4222.13807.21774.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a window
Sending an HTTP GET request
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/63e4c9503e913789a6f9b6ed/reports/2bfc562f-a5cd-4136-92a3-948b19515817/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f0403401376903590e76fc9ee1e0e51d0fe67731af837e419932413bac37254f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9fa9ed3a-9302-48a5-9b9e-9218e0641a3e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1169895
Signature
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 802686 Sample: Shipping Document.exe Startdate: 09/02/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 6 Shipping Document.exe 3 2->6         started        11 VvcPRR.exe 4 2->11         started        13 VvcPRR.exe 3 2->13         started        process3 dnsIp4 28 185.17.0.79, 49691, 6666 SUPERSERVERSDATACENTERRU Russian Federation 6->28 26 C:\Users\user\...\Shipping Document.exe.log, CSV 6->26 dropped 52 Writes to foreign memory regions 6->52 54 Injects a PE file into a foreign processes 6->54 15 InstallUtil.exe 17 4 6->15         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        file5 signatures6 process7 dnsIp8 30 api4.ipify.org 64.185.227.155, 443, 49692 WEBNXUS United States 15->30 32 flash-tours.gr 46.4.214.202, 587 HETZNER-ASDE Germany 15->32 34 2 other IPs or domains 15->34 24 C:\Users\user\AppData\Roaming\...\VvcPRR.exe, PE32 15->24 dropped 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->36 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->38 40 May check the online IP address of the machine 15->40 42 4 other signatures 15->42 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0403401376903590e76fc9ee1e0e51d0fe67731af837e419932413bac37254f/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-09 00:50:32 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
15 of 39 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6badiajxnebvsdtw7spodyhfduh6m5zrv6bx4qmzgjatxlbxevhq._file
Verdict:
malicious
Similar samples:
277695c9c74d59d603816ca495662666d702dce65c7949468eed50ad5e8171a8
AgentTesla
32603d6c0a84eeb638434c8f7e351dd062d88a5da3d4fd659a8ae6570339845c
AgentTesla
3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e
AgentTesla
40fbdffc4c34a41a564d0863ed3563fb04f97b9325c1ec297a4477b15e6efbbc
AgentTesla
577a6f8ac673a1b176fd32c9b8fe01178fee10a2602e3ccbc02b3fdebfa9bf0b
AgentTesla
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
AgentTesla
6bf19b47e17a3856e31e384b6aa304346e151f2c41385d01da5834a751fae776
AgentTesla
bcba671f1e3e1f7ab80f59d5c1cb280bfec3ca519b37820af0bb720fb5d7a8b9
AgentTesla
bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d
AgentTesla
+ 1'085 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230209-md9krsfh9y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
f0403401376903590e76fc9ee1e0e51d0fe67731af837e419932413bac37254f
MD5 hash:
ef8b7aaf254cd44a3e6500441ab2eb91
SHA1 hash:
ba09dbaec570dae8e8e6d7609f2fc6ee9a434b8f
Link:
https://www.unpac.me/results/40e9b7ec-50cc-4d2c-8bfe-0703e3a7bbaa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f04034013769/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f0403401376903590e76fc9ee1e0e51d0fe67731af837e419932413bac37254f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f0403401376903590e76fc9ee1e0e51d0fe67731af837e419932413bac37254f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/362684/

Comments