MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3
SHA3-384 hash: d7265f679332fddedccc6f14775d14ed208b0f059d973c924cce2ac1f68bd269c3d91fe5660dcb6a0f0909e74a384745
SHA1 hash: 91fb45a95d23b4f55edd03d3feec4336f154a1f0
MD5 hash: cc32d1859a40b67a26e388c51df00e16
humanhash: zebra-social-winter-aspen
File name:Proforma Invoice February.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:850'944 bytes
First seen:2021-02-14 12:53:53 UTC
Last seen:2021-02-14 14:55:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:vhGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzz4qDcQ3CNwiYmhYpbwH:szHSvi7AYaf+dk+gzhcQyNwoW5g
Threatray 2'606 similar samples on MalwareBazaar
TLSH BC05022136E4DB58C92D5779003418C063FA3E07FB27CB6F7D8672994E35A9E2B48792
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.mediawest.it
Sending IP: 85.94.211.194
From: <info@alexandrahotel.fr>
Reply-To: info@alexandrahotel.fr
Subject: Proforma Invoice
Attachment: Proforma Invoice February.zip (contains "Proforma Invoice February.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice February.exe
Verdict:
Malicious activity
Analysis date:
2021-02-14 12:55:26 UTC
Tags:
trickbot
Link:
https://app.any.run/tasks/6ec8e47e-64ea-4ef3-b554-59090d284315

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117070/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.cc.18702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Creating a file
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving of the original file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607559
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352808 Sample: Proforma Invoice February.exe Startdate: 14/02/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 7 Proforma Invoice February.exe 15 4 2->7         started        12 icloud.exe 4 2->12         started        14 icloud.exe 3 2->14         started        process3 dnsIp4 35 192.168.2.1 unknown unknown 7->35 31 C:\...\Proforma Invoice February.exe.log, ASCII 7->31 dropped 57 Moves itself to temp directory 7->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->59 16 PDF.exe 14 4 7->16         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        file5 signatures6 process7 file8 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 16->29 dropped 41 Writes to foreign memory regions 16->41 43 Allocates memory in foreign processes 16->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->45 47 Injects a PE file into a foreign processes 16->47 24 InstallUtil.exe 2 4 16->24         started        signatures9 process10 dnsIp11 37 smtp.idroconsulting.biz 24->37 39 us2.smtp.mailhostbox.com 208.91.198.143, 49745, 587 PUBLIC-DOMAIN-REGISTRYUS United States 24->39 33 C:\Users\user\AppData\Roaming\...\icloud.exe, PE32 24->33 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->63 65 Tries to steal Mail credentials (via file access) 24->65 67 5 other signatures 24->67 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-14 12:54:12 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocb5a7tw5xt56u5lolt3dm5xcr6os64b3civfa4lcwbty2h3lxrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a9ce88cb32da5f8aab38458eb7b58db8ca8250a06e98d6c1a9eda48d7a1aac1
AgentTesla
5defd50046db301c82c85cc8306960982f576cbf5446f24062cc570dcf0becec
AgentTesla
69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f
AgentTesla
8db06aca14a39bea41ccc392fa7e7468201a73c4bc8f9302b38515e1fedf216b
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
9bad59a7b2c604957e6dc7f52dbebcaf6b240eba426bdd2e973625cdd6c50c50
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
aba6e7eb4829aa943ce897edb7d6a6c7f9c91c516098734799d646d195bbbabd
AgentTesla
c813f48272b6106bf37619e57fbde62d1edb5fa5772a1a131374ca05685450a7
AgentTesla
d3083455681d65c6d3d151874554ad31b053ea89daa743f09ad2128e978999dc
AgentTesla
+ 2'596 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210214-qewt3l67w2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3
MD5 hash:
cc32d1859a40b67a26e388c51df00e16
SHA1 hash:
91fb45a95d23b4f55edd03d3feec4336f154a1f0
Link:
https://www.unpac.me/results/3e64b46b-565b-42eb-85f2-5169e3ea18db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip af39be910f701c7c74dc062d694c50870a14d4c6fb703c3f3f4f92f44bd4b44f

AgentTesla

Executable exe 7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3

(this sample)

  
Dropped by
MD5 b678dca816b5159fa36ea7396385ba6b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 af39be910f701c7c74dc062d694c50870a14d4c6fb703c3f3f4f92f44bd4b44f
Cape
Cape
https://www.capesandbox.com/analysis/117070/

Comments