MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7
SHA3-384 hash: 9eaab74bd9354c3edda613a7af25a828b6a687f739b02bda81d3d11aa6fcac711d95cd760a6d6f1cd014a6c4b48356dd
SHA1 hash: 72ef28bf30af5f21a1034811cc0eaa9ed1780dc5
MD5 hash: 9ee8c452ce49b91a58ba80f16cf343ec
humanhash: november-lamp-bluebird-sweet
File name:SHIPMENT-INVOICES.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:832'000 bytes
First seen:2023-04-23 12:37:15 UTC
Last seen:2023-05-13 22:57:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ypI6DHMd1DtOIIQ70Vi87765OHPcyUP3xeZ:yJMd1xl/877k4IP3E
Threatray 363 similar samples on MalwareBazaar
TLSH T128059CAB6BBBFF51C1743CB9135112209EF04E96ED2AE1A4FEE8304529137D4DA24787
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 9a3834b9d984c8c4 (1 x AgentTesla)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHIPMENT-INVOICES.exe
Verdict:
Malicious activity
Analysis date:
2023-04-23 12:38:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd6d2bff-8cee-4cbb-8119-eaeeecd41e6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1968.17197.7008.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644526b0689873b97671fbe4/reports/2b29609f-f7b4-4fbb-8dc7-6d0656ead7e4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e81909a1-f06c-4cd0-966f-186d5d4bd3a3
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219389
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852335 Sample: SHIPMENT-INVOICES.exe Startdate: 23/04/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 7 SHIPMENT-INVOICES.exe 7 2->7         started        11 HUNehYYcoENqo.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\HUNehYYcoENqo.exe, PE32 7->33 dropped 35 C:\...\HUNehYYcoENqo.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp1E5E.tmp, XML 7->37 dropped 39 C:\Users\user\...\SHIPMENT-INVOICES.exe.log, ASCII 7->39 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Contains functionality to register a low level keyboard hook 7->63 71 2 other signatures 7->71 13 SHIPMENT-INVOICES.exe 15 2 7->13         started        17 powershell.exe 17 7->17         started        19 schtasks.exe 1 7->19         started        65 Antivirus detection for dropped file 11->65 67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 21 HUNehYYcoENqo.exe 11->21         started        23 schtasks.exe 1 11->23         started        25 HUNehYYcoENqo.exe 11->25         started        signatures5 process6 dnsIp7 41 api4.ipify.org 104.237.62.211, 443, 49704 WEBNXUS United States 13->41 43 api.telegram.org 149.154.167.220, 443, 49705, 49707 TELEGRAMRU United Kingdom 13->43 45 api.ipify.org 13->45 73 Installs a global keyboard hook 13->73 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 64.185.227.155, 443, 49706 WEBNXUS United States 21->47 49 api.ipify.org 21->49 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->75 77 Tries to steal Mail credentials (via file / registry access) 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 07:53:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7a6iimsmdomsgisagvrsvtl73jbm63int4pqc5ilp7r2xolwso3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
028ea05169306fbb55d4243ddba1ab8ef6de4d044dc3b41eb5c4274131388bb1
AgentTesla
0ce32c16206589dd28d7dd0b8d72c5ea452eae2a448e66dd76c25e7a66b64525
AgentTesla
475bd18814dd4181d931894380857accd1428b171ae2f077a6b706411a0005ef
AgentTesla
911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
AgentTesla
98d4406e8ee40991fc7008774e833e0b6cf758ffedd7e06023a926a06646591d
AgentTesla
9c5a321ef423a10c264e0bc599091753b279c557b18b2f655bcd4eaf7d883ee5
AgentTesla
9d83a9e060a29f32c19203afbffe3e6b3d22d71ec4779bc7139c0b22a9881e65
AgentTesla
b056411adcff1f851fbc546d40ccb20c45c5d4dc07ffde472514e10b2e632bad
AgentTesla
f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7
AgentTesla
+ 353 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230423-pt2k7sdc96/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5482315235:AAGwacbjVLMaBQENAXUuPyVg-cvhlK0vn-w/
Unpacked files
SH256 hash:
f6c2bf6524cfb5491c14a5686a9cc498bcf44fcce4dbb3a622871543e81eb3e2
MD5 hash:
04b176f07e08bfd5b45698ab0a976925
SHA1 hash:
c0dfeac8d1724b6ffbf3e60d6c88559c2f12176d
Link:
https://www.unpac.me/results/d0023f85-c84e-4f15-beae-dc6b60043b53/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/d0023f85-c84e-4f15-beae-dc6b60043b53/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/d0023f85-c84e-4f15-beae-dc6b60043b53/
SH256 hash:
99ae729058700b1e583ed877bb15189c5a35650145a67ec5bc838e73cfdecc97
MD5 hash:
0a9bc83358d6bb41584fe45b1522c81e
SHA1 hash:
2a2761fb8bc9ac634dee6b3e3ade8b483100553f
Link:
https://www.unpac.me/results/d0023f85-c84e-4f15-beae-dc6b60043b53/
SH256 hash:
840fc35d7f612312fa3fb5edc048c5619ccac161e9372d4a6349531e5744b3e9
MD5 hash:
0d61d579498600f59e608efff61d7564
SHA1 hash:
236ac6a90590dd4e922bc089be85252752dc7cc1
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d0023f85-c84e-4f15-beae-dc6b60043b53/
SH256 hash:
f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7
MD5 hash:
9ee8c452ce49b91a58ba80f16cf343ec
SHA1 hash:
72ef28bf30af5f21a1034811cc0eaa9ed1780dc5
Link:
https://www.unpac.me/results/d0023f85-c84e-4f15-beae-dc6b60043b53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f83c84324c1b9923224035632acd7fda42cf6d0d9f1f01750b7fe3abb97693b7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments