MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feb3a8fc0da4f632c7aeb9a19460d04f5881f592b5458988dfa61aa0fdc00d7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feb3a8fc0da4f632c7aeb9a19460d04f5881f592b5458988dfa61aa0fdc00d7e
SHA3-384 hash: 67aef54aa11fbebc8bb1d871c7d33d086fd3f996ff07dc4e6cd6fbb22d1c10d0d0f1c354daaf36ffae40d22081124868
SHA1 hash: a30813168a939185d2af7d7dbe2a52063f9cb9b8
MD5 hash: b256d535ccd4217d5238c23f85dd57f5
humanhash: lactose-bravo-freddie-mississippi
File name:Proforma invoice is attached.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:813'056 bytes
First seen:2023-05-09 16:18:48 UTC
Last seen:2023-05-13 22:55:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GycULwzxw/nm49a7oIqaVqORlsoJ3OtRm5WWhEl6J/xDmhuWqIvpGiMnKG3hg:XxLwz2vm49aEILVq/o9Ou5WWhEN
Threatray 1'129 similar samples on MalwareBazaar
TLSH T1D0058CAC321179DFC917CD76CA683C64EA2030B797CBD207902706A89A4DB97EF145E7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8cacaeacacaeac8c (5 x AgentTesla, 1 x njrat)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma invoice is attached.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 16:19:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b5a66c28-16f4-4a56-ad62-a6f520263f84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387895/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/645a72793b40ceeb9637c426/reports/fdeb1540-3502-4980-b7c3-dd9f03bcfb54/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/feb3a8fc0da4f632c7aeb9a19460d04f5881f592b5458988dfa61aa0fdc00d7e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fca7b93-b021-46c3-9c87-4c2f2abb769c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229388
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862367 Sample: Proforma_invoice_is_attached.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 5 other signatures 2->64 7 Proforma_invoice_is_attached.exe 7 2->7         started        11 sTBnnXoIHez.exe 5 2->11         started        13 myapp4.exe 2->13         started        15 myapp4.exe 2->15         started        process3 file4 42 C:\Users\user\AppData\...\sTBnnXoIHez.exe, PE32 7->42 dropped 44 C:\Users\...\sTBnnXoIHez.exe:Zone.Identifier, ASCII 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmpF739.tmp, XML 7->46 dropped 48 C:\...\Proforma_invoice_is_attached.exe.log, ASCII 7->48 dropped 80 Detected unpacking (changes PE section rights) 7->80 82 Detected unpacking (overwrites its own PE header) 7->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 7->84 86 Adds a directory exclusion to Windows Defender 7->86 17 vbc.exe 17 9 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        88 Antivirus detection for dropped file 11->88 90 Multi AV Scanner detection for dropped file 11->90 92 Machine Learning detection for dropped file 11->92 26 vbc.exe 11->26         started        28 schtasks.exe 11->28         started        30 conhost.exe 13->30         started        32 conhost.exe 15->32         started        signatures5 process6 dnsIp7 50 smtp.ionos.com 74.208.5.2, 49684, 49685, 49687 ONEANDONE-ASBrauerstrasse48DE United States 17->50 52 api4.ipify.org 104.237.62.211, 443, 49683, 49686 WEBNXUS United States 17->52 56 2 other IPs or domains 17->56 40 C:\Users\user\AppData\Roaming\...\myapp4.exe, PE32 17->40 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->68 70 May check the online IP address of the machine 17->70 78 2 other signatures 17->78 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        54 api.ipify.org 26->54 72 Tries to steal Mail credentials (via file / registry access) 26->72 74 Tries to harvest and steal browser information (history, passwords, etc) 26->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->76 38 conhost.exe 28->38         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/feb3a8fc0da4f632c7aeb9a19460d04f5881f592b5458988dfa61aa0fdc00d7e/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 01:56:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
52
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72z2r7anut3dfr5oxgqziygqj5mid5mswvcytcg7uynkb7oabv7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02fa0fa7b89d8ad41c32e0613ef1bb1c38d9b93ea98d9295b7d61c2ca400a300
AgentTesla
290900426b7f0450c34ffe8152e39484e70c6bd90e59958524074c70e3b19290
AgentTesla
494979f4e2eca84b240d774c80ad703ada9db1f3314d6431bdb6228045c7e2b5
AgentTesla
70eddfd85da24eeaffddfdd6326c749326f098b597ce9c8eb79b3e69242a7801
AgentTesla
866e30140fc553f94493a28cae2b615924240cba323fd08f95ee0c716f28ee0e
AgentTesla
a3e624899642025593a5646ecff5cbdf946e5b13debcdf57aad589d4da03de3a
AgentTesla
b17834b8b1ab830ad583d159929a01013cabf188895657bcfd44c4fb95a12258
AgentTesla
d46e1ec4fd88c836e0f27060808c2506e0df5d1034f9c88e56dd37bfc2113120
AgentTesla
+ 1'119 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230509-tshtxscg57/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Uses the VBS compiler for execution
AgentTesla
Unpacked files
SH256 hash:
72591d4b52101367acf9527c0b0a4d642a93d62876d306776e1b5e6bd66a2cfc
MD5 hash:
9eb1d0ac754d3dce1161f805d41aa10f
SHA1 hash:
a7c4fb15a0dd13922ef8bd98f141cb311aefb1a9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/07f3ac8c-a8ea-48ba-a4d1-fcd4fd878215/
Parent samples :
1ba810ae481530f7ac447ba7833cb3ab9fe4547ff978bbbeac3c685c8e8401ad
feb3a8fc0da4f632c7aeb9a19460d04f5881f592b5458988dfa61aa0fdc00d7e
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/07f3ac8c-a8ea-48ba-a4d1-fcd4fd878215/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
655d2bf36507396c9d07491ced26d041e4fbdecedb5ddc61da11870d047f0671
MD5 hash:
a1ecbee220ccba2c579f7cafaacb592d
SHA1 hash:
85f43d6d1e67d7735c0ef61c5de2587486aafa8b
Link:
https://www.unpac.me/results/07f3ac8c-a8ea-48ba-a4d1-fcd4fd878215/
SH256 hash:
2d8f00fa5b9bc7423d1d6743f052a117bc565a2145b31c1a7e10163ce37314f2
MD5 hash:
716200a7ac5eef31d49ba7cbb35b3812
SHA1 hash:
2e9e3dee9b3d2eb3e2e5635306b377c0b3ab2440
Link:
https://www.unpac.me/results/07f3ac8c-a8ea-48ba-a4d1-fcd4fd878215/
SH256 hash:
2be4938933d4349fade16fd90c6f1743f32d08ecbc3d848899737e1f81845f43
MD5 hash:
15c0c80db3cc924683dbf80d3deeb9eb
SHA1 hash:
1d05a2b0d88cfdc81e46453c5ad524083c5ba212
Link:
https://www.unpac.me/results/07f3ac8c-a8ea-48ba-a4d1-fcd4fd878215/
SH256 hash:
feb3a8fc0da4f632c7aeb9a19460d04f5881f592b5458988dfa61aa0fdc00d7e
MD5 hash:
b256d535ccd4217d5238c23f85dd57f5
SHA1 hash:
a30813168a939185d2af7d7dbe2a52063f9cb9b8
Link:
https://www.unpac.me/results/07f3ac8c-a8ea-48ba-a4d1-fcd4fd878215/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/feb3a8fc0da4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/feb3a8fc0da4f632c7aeb9a19460d04f5881f592b5458988dfa61aa0fdc00d7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387895/

Comments