MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb4970aab2552b6caafb04168d6c49c3c6db794f8cfffac56a5d5b4bff3609a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	fb4970aab2552b6caafb04168d6c49c3c6db794f8cfffac56a5d5b4bff3609a2
SHA3-384 hash:	5fa8d04fe774f4bb58c485933e8f1e92a54a3abbde0b2350e4d199ba3803981332a5f049dc01ff42aaae7498fc3987c2
SHA1 hash:	7c0f2e7442e5385e5be18a8796f9451f39afebe6
MD5 hash:	b89c7398efdf2bbfd7adb248f6403758
humanhash:	six-cola-island-finch
File name:	Records INVOICE NO 0404.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	621'568 bytes
First seen:	2023-04-12 05:52:25 UTC
Last seen:	2023-04-12 09:28:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:1lEI0pW48+hNknKT7GJejOtysczjLdhys//HzrgML3OEfKvajdC8QiCIE7wd3rOQ:ff617GJrYvXLdhys3TrgMrOEff5C8Qi/
Threatray	2'029 similar samples on MalwareBazaar
TLSH	T1A2D46B2D2C8F4266E178E7B59BA18430F7ED8553771FBD2BA8C221C44B12982F8CD56D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe payment

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Records INVOICE NO 0404.exe

Verdict:

Malicious activity

Analysis date:

2023-04-12 05:55:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d3fb774c-19d6-4daa-93b1-0007b2fab160

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/381665/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230411-1832.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/64364740c41e8bc6a3b10e79/reports/43dd98b8-572f-4c01-81f2-70e50876f41d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fb4970aab2552b6caafb04168d6c49c3c6db794f8cfffac56a5d5b4bff3609a2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6f1c1a6-d9b8-4f94-9929-2b311ee20894

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1212349

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fb4970aab2552b6caafb04168d6c49c3c6db794f8cfffac56a5d5b4bff3609a2/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-04-11 17:22:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7nexbkvskuvwzkx3aqli23cjypdnw6kprt77vrlklvnux7zwbgra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc

AgentTesla

234cadb13e56e3214f609a0f493f2474e452cdfd3bb3e322e8cce51219032d03

AgentTesla

2e586ca0465bc9ea67899118a6256b25c9603e45d416c2fe9b6e6c9f30b6375a

AgentTesla

5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9

AgentTesla

6e2d6ab699f72cde12ad29b1c16475feca3e9753dea86f8b7287d5d71027ec39

AgentTesla

8baf546dcd2dc51c04c029bc9fde4b160ee559ff83645883a6dccae20d7b6021

AgentTesla

f563cdeb38846b1493909e30ccf759ebe422a2d18e2b3a629bc7db3d26c34570

AgentTesla

fb4970aab2552b6caafb04168d6c49c3c6db794f8cfffac56a5d5b4bff3609a2

AgentTesla

+ 2'019 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230412-gla5aabh4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

4277d7724cc82c7d07854162ff8a443fa1dbf3303138a680147f5797f31f9875

MD5 hash:

0c315df1ae56add5ced2e830771de5b6

SHA1 hash:

d382a057636d826d28b1c76c38fc943755c7fa1f

Link:

https://www.unpac.me/results/d6726e6a-df5c-4b3d-9286-ecce143f8e66/

SH256 hash:

ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d

MD5 hash:

27f5124bf8f451bca8d8a15c73c4f521

SHA1 hash:

5fd557e109b8fd1c3b362b64f0ba9f1600c07211

Link:

https://www.unpac.me/results/d6726e6a-df5c-4b3d-9286-ecce143f8e66/

SH256 hash:

0095fe1edf322dcb4fcda6e6e200467dfc6716477e15954f7867c1e372b20dbd

MD5 hash:

4a30940c85aca531993f590e12ad4165

SHA1 hash:

370d6a75e13c126882843f678b77c02a8097720a

Link:

https://www.unpac.me/results/d6726e6a-df5c-4b3d-9286-ecce143f8e66/

SH256 hash:

fb4970aab2552b6caafb04168d6c49c3c6db794f8cfffac56a5d5b4bff3609a2

MD5 hash:

b89c7398efdf2bbfd7adb248f6403758

SHA1 hash:

7c0f2e7442e5385e5be18a8796f9451f39afebe6

Link:

https://www.unpac.me/results/d6726e6a-df5c-4b3d-9286-ecce143f8e66/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fb4970aab255/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/fb4970aab2552b6caafb04168d6c49c3c6db794f8cfffac56a5d5b4bff3609a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.