MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 700b8168cefa395c3598eaa9cfd929ecf0a990448f38f2974f2c710e0926e6dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 700b8168cefa395c3598eaa9cfd929ecf0a990448f38f2974f2c710e0926e6dc
SHA3-384 hash: 92f48cded8fc59f5efe91b5e1f2a84bfb65d507ae32a54e70665be4365fa64ee951a5c3cf06514ac18f9e40dcbd46aaa
SHA1 hash: dac2fa267ce1455aa126fbf2da95368607aab76e
MD5 hash: 8b6193b8dfdc920cd6bb65d6fc020104
humanhash: seventeen-eleven-hotel-arkansas
File name:8b6193b8dfdc920cd6bb65d6fc020104.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:34'816 bytes
First seen:2023-01-24 16:10:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:DHQOtEtqH58632GkY6zS70dieYwSbtsYU/EZ8QfsAPo:jjEtqHqq2BYlBk+jU/DQfsQo
Threatray 1'657 similar samples on MalwareBazaar
TLSH T140F2B505636C8224FD177ABACC979F7007EAEDE6AC22DA9FA831B7D97932745C504301
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 72690d69690d6972 (8 x AgentTesla, 6 x Smoke Loader, 2 x PureCrypter)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://alpatrik.com/org/inc/ff4783d4beeeb1.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
nueva investigaci�n 01023086635364.xls
Verdict:
Malicious activity
Analysis date:
2023-01-24 16:01:10 UTC
Tags:
macros trojan exploit cve-2017-11882 loader smoke stealer
Link:
https://app.any.run/tasks/4e345531-738d-4c3d-9671-b95438b6c7b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356469/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65152900.421.965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d003191c9cbf7d62521781/reports/d1b94d80-3b8c-4a5e-97cd-ea6a2a0e7fdf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99e71866-d83b-4672-99e6-3daea844dfbf
Result
Threat name:
SmokeLoader, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158047
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790784 Sample: AA8oaF55xz.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 88 Multi AV Scanner detection for domain / URL 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 8 other signatures 2->94 10 AA8oaF55xz.exe 16 7 2->10         started        15 vttccju 2->15         started        process3 dnsIp4 70 isilab.kaist.ac.kr 15.164.23.161, 49682, 49687, 49688 AMAZON-02US United States 10->70 60 C:\Users\user\AppData\...\Vseskllx.exe, PE32 10->60 dropped 62 C:\Users\...\Vseskllx.exe:Zone.Identifier, ASCII 10->62 dropped 64 C:\Users\user\AppData\...\AA8oaF55xz.exe.log, ASCII 10->64 dropped 112 Encrypted powershell cmdline option found 10->112 114 Injects a PE file into a foreign processes 10->114 17 AA8oaF55xz.exe 10->17         started        20 powershell.exe 16 10->20         started        116 Multi AV Scanner detection for dropped file 15->116 118 Machine Learning detection for dropped file 15->118 file5 signatures6 process7 signatures8 80 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->80 82 Maps a DLL or memory area into another process 17->82 84 Checks if the current machine is a virtual machine (disk enumeration) 17->84 86 Creates a thread in another existing process (thread injection) 17->86 22 explorer.exe 5 7 17->22 injected 27 conhost.exe 20->27         started        process9 dnsIp10 66 alpatrik.com 45.81.39.147, 49691, 49692, 49693 LVLT-10753US United States 22->66 68 cletonmy.com 172.105.103.207, 49689, 80 LINODE-APLinodeLLCUS United States 22->68 54 C:\Users\user\AppData\Roaming\vttccju, PE32 22->54 dropped 56 C:\Users\user\AppData\Local\Temp\3FBB.exe, PE32 22->56 dropped 58 C:\Users\user\...\vttccju:Zone.Identifier, ASCII 22->58 dropped 104 System process connects to network (likely due to code injection or exploit) 22->104 106 Benign windows process drops PE files 22->106 108 Injects code into the Windows Explorer (explorer.exe) 22->108 110 3 other signatures 22->110 29 Vseskllx.exe 14 4 22->29         started        33 Vseskllx.exe 3 22->33         started        35 3FBB.exe 22->35         started        37 3 other processes 22->37 file11 signatures12 process13 dnsIp14 72 192.168.2.1 unknown unknown 29->72 74 isilab.kaist.ac.kr 29->74 120 Multi AV Scanner detection for dropped file 29->120 122 Machine Learning detection for dropped file 29->122 124 Encrypted powershell cmdline option found 29->124 39 Vseskllx.exe 29->39         started        42 powershell.exe 29->42         started        44 Vseskllx.exe 29->44         started        76 isilab.kaist.ac.kr 33->76 126 Injects a PE file into a foreign processes 33->126 46 Vseskllx.exe 33->46         started        48 powershell.exe 33->48         started        78 isilab.kaist.ac.kr 35->78 128 Tries to harvest and steal browser information (history, passwords, etc) 37->128 signatures15 process16 signatures17 96 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->96 98 Maps a DLL or memory area into another process 39->98 100 Checks if the current machine is a virtual machine (disk enumeration) 39->100 102 Creates a thread in another existing process (thread injection) 39->102 50 conhost.exe 42->50         started        52 conhost.exe 48->52         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/700b8168cefa395c3598eaa9cfd929ecf0a990448f38f2974f2c710e0926e6dc/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2023-01-24 10:57:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oafyc2go7i4vynmy5ku47wjj5tyktecer44pff2pfryq4cjg43oa._file
Verdict:
malicious
Similar samples:
08c5de8e4d3c038e2385643b3201122ac43f7e09d21b89e42a2186a66fae3434
AgentTesla
2eedd3e3f2bf4ed4fba3eb97248e586a8ab9cdec17e080554830c0b54f63bb8d
AgentTesla
5e6776ba02afa4c03138edcdf1e10dabee3efd6afd1620dcdb3138e7632bcb79
AgentTesla
668eb4590a79e6a228f5048fe1736e40dce34034398cf762e6c6ba42599cb8e7
AgentTesla
685be88c62e8025eeb310af5914b20fcc25ce633e9b04d2112e9386968cf802f
AgentTesla
ab9de97e47a48f549aca1f49ed1f7cccc251c29ffc3fdeece302f351e16d5eef
AgentTesla
cadda17dcae45afe1d65c294f6eb239cff0644dca46af07284216789a0e75bd5
AgentTesla
caef823c9dc88a73e2abd5d2e876f5601396417ea434fdfb5cd296a7e30dc7d1
AgentTesla
ec4b8c7407dce9428bfe6752b90cfd9dafe91d83e238102bf310c6deaeb21a01
AgentTesla
fac7c67b12417b1434baa368422d9f167d2c4473edc2c63921e4b2ee5588b4cc
AgentTesla
+ 1'647 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/230124-tmx2naeb5y/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
700b8168cefa395c3598eaa9cfd929ecf0a990448f38f2974f2c710e0926e6dc
MD5 hash:
8b6193b8dfdc920cd6bb65d6fc020104
SHA1 hash:
dac2fa267ce1455aa126fbf2da95368607aab76e
Link:
https://www.unpac.me/results/17264902-bd5e-4de3-8f11-a0d6e1957d2c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/700b8168cefa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/700b8168cefa395c3598eaa9cfd929ecf0a990448f38f2974f2c710e0926e6dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 700b8168cefa395c3598eaa9cfd929ecf0a990448f38f2974f2c710e0926e6dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2517296/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/356469/

Comments