MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad29843768b7dc1c65669f75615d0d1435848479132095a1590a7cd667c8fed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fad29843768b7dc1c65669f75615d0d1435848479132095a1590a7cd667c8fed
SHA3-384 hash: ad12196f654bca59fd92d2e1999e77c94099cdd9386fbf35c837418323ea89fe28c5a15f7f097c281fe5666a1bfbd168
SHA1 hash: 701e51fa114b2fcc2c7c6d8d03838f6368ad9c42
MD5 hash: 56493c470154ab3f05f06df7d87bc98d
humanhash: potato-four-two-nebraska
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:375'296 bytes
First seen:2021-07-07 07:49:04 UTC
Last seen:2021-07-09 09:41:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:+rQgGxfcyEwZa2n615JXaGe466Kxtwn3p1np2g61Uv81i:h7xU4b6bJXaGp69QZ1nMwMi
Threatray 6'413 similar samples on MalwareBazaar
TLSH 6384F18225581532E5A80DFE902873C90EAEDE874B25D2D9A53F3DF8BCB518167F4387
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2021-07-07 07:51:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1215c92-a1e3-4476-b0d8-0715b813ed0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170135/
Detection(s):
SecuriteInfo.com.Variant.Bulz.550417.660.29291.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9aebe17-f090-45ec-9b51-998299a3fcdd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812738
Signature
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fad29843768b7dc1c65669f75615d0d1435848479132095a1590a7cd667c8fed/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 07:49:14 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ljjqq3wrn64drswnh3vmfoq2fbvqschsezaswqvsct42zt4r7wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3a5b1c9c7e10e40551f26dafe302f056f86ce6c6c138a96b0b79389a095b7fca
AgentTesla
4b2d7c3ea69eef113fb46184310c3f1579d2545c0f618da316b237e25c12f97c
AgentTesla
5e3dd11769ba2b4d02e36ea18cac6e5609610daae6cdc659db647dac1efbeac3
AgentTesla
6bd9139f731b6d71de6ea95806a86fd5a73525c444a8a64089ee70326994d2d8
AgentTesla
77dafc4c23c98c2d0518eb6bcee7cfc13128c249dafc4d5faefbfb67425f40e1
AgentTesla
7f5317db38274cf24a600614903b20d7ba53342ec68b83c8740adc4104b06112
AgentTesla
95706dd9738a31636416e21a724ab85a58bc96ae801b782ea363da3a13e97701
AgentTesla
aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb
AgentTesla
bd2b74e08fad018b100e51f29b67beb001afac1b243e73f4180d22879d86c639
AgentTesla
df0f8724a5cff12da65f785ffdba965eac4ccec51e5ff2c9338344aeb4e01a8b
AgentTesla
+ 6'403 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210707-1ryall8q22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
c821996f2e9420dceba8c2c7ed34594b70917796a0f5e815aab8f2be05b898f3
MD5 hash:
b2eebe4de47a4c2518423abdc60832c5
SHA1 hash:
9bf0b55843153ecc3e04d2014740914d628f60e7
Link:
https://www.unpac.me/results/e36a910e-9475-4a05-bcfd-7c6475def8b6/
SH256 hash:
fdc923bdbc6e68558f215fbf087741a70d3fe31fe634ccb568415b3a57f15b8d
MD5 hash:
968c08fb4befb7213af617aa3a392e0c
SHA1 hash:
832e3dc79ec23732878038cdef0436e9879d0050
Link:
https://www.unpac.me/results/e36a910e-9475-4a05-bcfd-7c6475def8b6/
SH256 hash:
48077698295503ba410d9baf0bc8e8a640524e126c1884b42c85887d5f590a0e
MD5 hash:
176b8e623787b54e1b1fef1e450cbe1e
SHA1 hash:
1fe07ca0bb52ccd1e8113b040e72a28346685d6f
Link:
https://www.unpac.me/results/e36a910e-9475-4a05-bcfd-7c6475def8b6/
SH256 hash:
fad29843768b7dc1c65669f75615d0d1435848479132095a1590a7cd667c8fed
MD5 hash:
56493c470154ab3f05f06df7d87bc98d
SHA1 hash:
701e51fa114b2fcc2c7c6d8d03838f6368ad9c42
Link:
https://www.unpac.me/results/e36a910e-9475-4a05-bcfd-7c6475def8b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fad29843768b7dc1c65669f75615d0d1435848479132095a1590a7cd667c8fed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fad29843768b7dc1c65669f75615d0d1435848479132095a1590a7cd667c8fed

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170135/

Comments