MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
SHA3-384 hash: 2f92820910f1710bc1bc7b976cb8df270e5672b76a9d3b05efd08f7600567157f2c0bd799f4823e551ab0ab76a86c4ec
SHA1 hash: a693ec7bdaa1e0f372511b9669fd7cd955b49d64
MD5 hash: 1f56c245157f59bd32238edc9170a11c
humanhash: hamper-virginia-six-hamper
File name:SecuriteInfo.com.Win32.PWSX-gen.3985.20842
Download: download sample
Signature AgentTesla
Create hunting rule
File size:758'272 bytes
First seen:2023-07-24 02:27:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:midvJRBusyjqsH/4YDHkR9/L3WpQZrPfcuF5NQ9oJ0SNx1N:LFuqe4YDgipQZrPUQ69oyWr
Threatray 5'133 similar samples on MalwareBazaar
TLSH T1C0F4128333552E0EF2DEBABB5A61461123B155562813E38DCCB22D857FA17C4BF806DB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4923292e2ccb4c0 (13 x AgentTesla, 7 x Formbook, 3 x Loki)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.3985.20842
Verdict:
Malicious activity
Analysis date:
2023-07-24 02:30:07 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/8ca6ee59-469b-4448-950a-597305f7d8e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430516/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3985.20842.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64bde1b346e64860de10cda8/reports/695f372b-7468-4d8a-a128-25d2c3f6b74d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7c71045-ace8-4a1a-a5e7-78641e1b236b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277969
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277969 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 5 other signatures 2->78 7 SecuriteInfo.com.Win32.PWSX-gen.3985.20842.exe 7 2->7         started        11 NpblqXP.exe 2->11         started        13 azjuDRVl.exe 5 2->13         started        15 NpblqXP.exe 2->15         started        process3 file4 50 C:\Users\user\AppData\Roaming\azjuDRVl.exe, PE32 7->50 dropped 52 C:\Users\...\azjuDRVl.exe:Zone.Identifier, ASCII 7->52 dropped 54 C:\Users\user\AppData\Local\...\tmpE648.tmp, XML 7->54 dropped 56 SecuriteInfo.com.W....3985.20842.exe.log, ASCII 7->56 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->90 92 May check the online IP address of the machine 7->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 7->94 96 Adds a directory exclusion to Windows Defender 7->96 17 SecuriteInfo.com.Win32.PWSX-gen.3985.20842.exe 17 10 7->17         started        22 powershell.exe 20 7->22         started        24 schtasks.exe 1 7->24         started        26 SecuriteInfo.com.Win32.PWSX-gen.3985.20842.exe 7->26         started        98 Multi AV Scanner detection for dropped file 11->98 100 Machine Learning detection for dropped file 11->100 102 Injects a PE file into a foreign processes 11->102 28 NpblqXP.exe 11->28         started        30 schtasks.exe 11->30         started        36 2 other processes 11->36 104 Contains functionality to register a low level keyboard hook 13->104 32 azjuDRVl.exe 13->32         started        34 schtasks.exe 13->34         started        signatures5 process6 dnsIp7 58 agentbetking.com 23.94.150.194, 49691, 49695, 49700 AS-COLOCROSSINGUS United States 17->58 60 mail.agentbetking.com 17->60 70 3 other IPs or domains 17->70 46 C:\Users\user\AppData\Roaming\...46pblqXP.exe, PE32 17->46 dropped 48 C:\Users\user\...48pblqXP.exe:Zone.Identifier, ASCII 17->48 dropped 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->80 82 Tries to steal Mail credentials (via file / registry access) 17->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->84 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        62 mail.agentbetking.com 28->62 64 api.ipify.org 28->64 86 Tries to harvest and steal browser information (history, passwords, etc) 28->86 42 conhost.exe 30->42         started        66 mail.agentbetking.com 32->66 68 api.ipify.org 32->68 88 Installs a global keyboard hook 32->88 44 conhost.exe 34->44         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2023-07-24 01:55:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
14 of 25 (56.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ouinepc33chn4lmnf355nwcr3io7zxa57mejxafeumilp64w35fa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e99461e1d9e814ab13a7c724a4a71e043b9ad82ab978ab15a70e2e3abfa0468
AgentTesla
1c4912d724ce2c46bef48e510e3203d1b460c77cc16f3fc2eaec561499b37302
AgentTesla
6c5deef73d02f6a72b9e5db340f3a5e3743d6a63fe0827815378bf2b13624d39
AgentTesla
7681b3e36910fd04d90febb8fe222537db5fa8cb2c699c19a4a6eb3470e71292
AgentTesla
7b4cf761f6d81b2808e88bd6239a3b15909c828ea709cf6f975f5caa6be7e472
AgentTesla
c323cff8253a448437474f68f4792fceb7f3424ca6a3ed260b5fe81acd88d49c
AgentTesla
cf30b3791cfb71dbfaaa21d0fc7f030810ad8181d4fcee623667b09602471400
AgentTesla
fee59f311b2bd04aed3c5f40d7453366ceda8931de8e9dee2a64ef03823455ac
AgentTesla
ffef2423a18b6a9c7cea5e976c71cd5f5dbdacdc70bc0a08237443aad6dacf6c
AgentTesla
+ 5'123 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230724-cxz6bshf33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/621105eb-1a49-4edd-8866-af57f544e90a/
SH256 hash:
b0650593ee79c50810c861ce8380734ea9de3a1adf77e425cf86b8673ade7b72
MD5 hash:
d68f2f9257c91b202f5d393689199180
SHA1 hash:
c98b52638766aca0e2c82b2416d23f296370660e
Link:
https://www.unpac.me/results/621105eb-1a49-4edd-8866-af57f544e90a/
SH256 hash:
12195ac814223ea086492e8a8842cbed9d0b18a54896a7d5ba3657612a918d3a
MD5 hash:
cc5b8022b0d5d141a5f2dec017b77a19
SHA1 hash:
c8e25b4ca68c5631d9e0fee214f645e3d62d801a
Link:
https://www.unpac.me/results/621105eb-1a49-4edd-8866-af57f544e90a/
SH256 hash:
1cf3d78e6dd3a5d708652ded650a9b7408bafa427703ec0dd924d514ed29ad83
MD5 hash:
f5f77bc21ae1d07886778a893618a0ee
SHA1 hash:
52fab8f45f2ecf3f7a92900ccdde2ef9c8ef7ecb
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/621105eb-1a49-4edd-8866-af57f544e90a/
SH256 hash:
7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
MD5 hash:
1f56c245157f59bd32238edc9170a11c
SHA1 hash:
a693ec7bdaa1e0f372511b9669fd7cd955b49d64
Link:
https://www.unpac.me/results/621105eb-1a49-4edd-8866-af57f544e90a/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7510d23c5bd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/430516/

Comments