MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8
SHA3-384 hash: a2b0fc5c14a03f898f683e5cb50fc2be2bb807263f197d373d9bd890e2ab047fa841ed718958c16966d219bd13047f5d
SHA1 hash: f113c2985a4f2bd5483c6d16416f7eca7b544976
MD5 hash: d8a5afbf917fc0e824641e96d1a1ac5a
humanhash: echo-lion-uniform-delaware
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:862'208 bytes
First seen:2023-06-15 06:47:04 UTC
Last seen:2023-06-19 15:05:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:4ORjg/LgxXAa0oe538ph9vFJpZ6S3ozd:42qgZJ0oUM5dNZM
Threatray 5'442 similar samples on MalwareBazaar
TLSH T12505BEAD3650B9DFC817CC7ADAA81C64AE6174BB930BD203912316D99A0DAD7CF141F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
6
# of downloads :
274
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 06:47:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82194c74-4052-44de-8a0a-9bd511fd015b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399041/
Detection(s):
Sanesecurity.Rogue.0hr.20230614-2134.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/648ab423416f5c526e222148/reports/daa388b2-998e-4b05-b72c-e38987231e56/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd995834-5192-465e-bed2-7b2ac42737f7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255064
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 18:09:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ry3xa7apwyksrswkltktpsarfkc6jze4eq4rf354c3aj6gc3t4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0
AgentTesla
58e573b3f5001e4f262f0f56cc08391390a10e9fedd7e46b054c3a6197991b32
AgentTesla
7680d977b63a749f186c0b526d37b258b7fb76c41e7e535a27e9c435f72b1804
AgentTesla
76f01e4cfcfc115b4c26f3cae977d3390a6d205ed9ac87c74d471b3dda4bd4a2
AgentTesla
7c65de85148b948a8376a92b592cde38f7b736a02ab2f5eec5c5b54fe787cbfc
AgentTesla
852e0d9a8f474077261d053d587868b211e70eff320a7e7067c3fc1cb3253ea5
AgentTesla
cf44163e574fb84c598bd3a738aac3119c0f64cc7c6fce5739faca7ea9158bcc
AgentTesla
de4e83422e4f28ede29ee71e76da0bafc7436f8a18d4845eda47be1a4e3ec2b8
AgentTesla
+ 5'432 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230615-hkrw3sfa22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
Link:
https://www.unpac.me/results/da028f62-d118-43e8-b663-543d711dcd5d/
SH256 hash:
90abc1235306796e82f284392509f1cd6c9150b8fa2b93b5cd976537462c7b53
MD5 hash:
363cc1ac1fa18f653a353d6e8cbc18ae
SHA1 hash:
63670df5c3909c16060eae0e74b491f1985ea37f
Link:
https://www.unpac.me/results/da028f62-d118-43e8-b663-543d711dcd5d/
SH256 hash:
b854efd70f87b6cf0217c4ff3f38604c34a257694cf1d4219976159e1e814720
MD5 hash:
2350c08e423fbfb08ac0af73a0f73caf
SHA1 hash:
4e0a0397bdc2fcd46fd8eb1964426029a7f9d940
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/da028f62-d118-43e8-b663-543d711dcd5d/
Parent samples :
f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8
f4992ccd1efb1526569676630c916c68f1bc0ea3ca0061286d22950244666f64
ad742072fb4452b030471fe8d2fc33422a2e683b8320616da6ee62c999a76961
97289b7b81716c422ed44dc42d80db0ba56989bff3a879d31a28b935686475bf
SH256 hash:
f3fc82a9dadb6ac3df2360061250d23877ed599dc83e85426aae797e0c616707
MD5 hash:
00cd1128fd222e590f56033436b07e37
SHA1 hash:
2d5719faf4efadb2691b2282ebeb8a3ea4249138
Link:
https://www.unpac.me/results/da028f62-d118-43e8-b663-543d711dcd5d/
SH256 hash:
e38137d9598e9346db7b745a1cff7ce7b6c9cd769cc56f7e229ac8750118e5ef
MD5 hash:
11654983b4f25c8e52219bd1dbbe6cf8
SHA1 hash:
0c64531adc1c36479f5503100bed8d5eacfe3e6d
Link:
https://www.unpac.me/results/da028f62-d118-43e8-b663-543d711dcd5d/
SH256 hash:
f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8
MD5 hash:
d8a5afbf917fc0e824641e96d1a1ac5a
SHA1 hash:
f113c2985a4f2bd5483c6d16416f7eca7b544976
Link:
https://www.unpac.me/results/da028f62-d118-43e8-b663-543d711dcd5d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f471bb83e07d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 130a5416c6cb56e49a88e55993bad9b770a3e13d0fa38fa5192b671d0cd99c8e

AgentTesla

Executable exe f471bb83e07db0a9465652e6a9be4089542f2724e121c8977de0b604f8c2dcf8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 130a5416c6cb56e49a88e55993bad9b770a3e13d0fa38fa5192b671d0cd99c8e
Cape
Cape
https://www.capesandbox.com/analysis/399041/
  
Dropped by
MD5 cc051589dfa68419bb4f70f5f1664cdb

Comments