MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7792cfdea70e6811fb6df5636cae82719c7946bc2b82ab8473b7745583176ea3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7792cfdea70e6811fb6df5636cae82719c7946bc2b82ab8473b7745583176ea3
SHA3-384 hash: a6cff44d39cf393d3309d8934e9976be7fc97a55599b795a58bc0497185a37b971c1acdc9e922f5b4a5235abdf510693
SHA1 hash: 3faa8629f83493a69efe13bee8fba86bf18162c2
MD5 hash: d695456e1d386116e7ba1e9dd0927a95
humanhash: ceiling-delaware-network-romeo
File name:SecuriteInfo.com.W32.AIDetectNet.01.23013.12320
Download: download sample
Signature AgentTesla
Create hunting rule
File size:979'456 bytes
First seen:2022-06-03 18:37:59 UTC
Last seen:2022-06-03 19:32:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kxQcObinAawVIMVu1Z0na7CqwXKueL5PLeiNeLUG7vDu58XBessJJ+Gm8nsVI4dS:kxQXiA3Wg8CqCre1PLGLUG3uwesK
Threatray 18'053 similar samples on MalwareBazaar
TLSH T1BA258C883AD466DEC49789F29D94FF10B62D785E434B8E07BD131658A90C1D28F392EF
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
440
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.23013.12320
Verdict:
Malicious activity
Analysis date:
2022-06-03 18:43:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fa7d734-2bd6-4fa1-a70d-cd0cfee8a192

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276575/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.23013.12320.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/629a5549e4ca2b59334f3ae9/reports/f2d002d8-9426-4f15-b6c9-79214e9abf26/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f414038a-e258-4b67-925a-e735bcce98a0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1006496
Signature
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7792cfdea70e6811fb6df5636cae82719c7946bc2b82ab8473b7745583176ea3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-03 15:49:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6jm7xvhbzubd63n6vrwzlucogohsrv4fobkxbdtw52flayxn2rq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2123f1c10dac02ac6c2fe68531d4ac9f03b9dedf68bbf7988667c7938a1788f1
AgentTesla
6ab30070b29a4095465e89dbc1a4b0788625565aa7608973b274aadd715b5db1
AgentTesla
9f66fe14e5071fe347524255cac03feedc3dc63157d074097b40d4b40601b333
AgentTesla
a893ba5218f2456a154c43c363d391a3117638c8f300cac0b44ec74c4a56be8c
AgentTesla
abd985aa1bfe39c848147583e821f9a2b0c806db69900e96850a7a9d70dbb75d
AgentTesla
bd1f6bdb6b8001be3c97da43ff8176ec48e88429a3d26821aa6a1d8e5bb7fbe6
AgentTesla
e2b6d03b8580b415e56ab917eb2f131d1b1086bbcc9fee88c390ec3469ed12e6
AgentTesla
+ 18'043 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220603-w92dpsghfm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
6722fbba5beaf8f9849bd50431780d36d79bd8520a0ae6feb7e2cbd614d7f6cd
MD5 hash:
162253dbb0e41fd0239d9de826dc33c7
SHA1 hash:
e367b9a544d287910e75f92891b5eaf3833eafec
Link:
https://www.unpac.me/results/6a6a039c-4b9b-4fd8-8b35-81c6290e8dbd/
SH256 hash:
7949f70d85bda0daa75a2073317bafd80b2efff92f33daaab7dd4462cd04d905
MD5 hash:
c26a0a342e8e7db895cbb699d11f2f23
SHA1 hash:
8aae29c29947d1aaf5f47331d0bd417dc41e0f90
Link:
https://www.unpac.me/results/6a6a039c-4b9b-4fd8-8b35-81c6290e8dbd/
SH256 hash:
fd044109ec00609430034a7209c672fc58894151370978f4a4fcf6c59ec459a8
MD5 hash:
6fd7489f6e6d01002ef0fe2a44303420
SHA1 hash:
2cc1b364589ede37afc14c007023c39a47684a53
Link:
https://www.unpac.me/results/6a6a039c-4b9b-4fd8-8b35-81c6290e8dbd/
SH256 hash:
879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504
MD5 hash:
30b6a54a992eae921a2eb8c5ea130911
SHA1 hash:
1c83f0319bffe007077c6656418c9b7344d5affe
Link:
https://www.unpac.me/results/6a6a039c-4b9b-4fd8-8b35-81c6290e8dbd/
SH256 hash:
7792cfdea70e6811fb6df5636cae82719c7946bc2b82ab8473b7745583176ea3
MD5 hash:
d695456e1d386116e7ba1e9dd0927a95
SHA1 hash:
3faa8629f83493a69efe13bee8fba86bf18162c2
Link:
https://www.unpac.me/results/6a6a039c-4b9b-4fd8-8b35-81c6290e8dbd/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7792cfdea70e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/7792cfdea70e6811fb6df5636cae82719c7946bc2b82ab8473b7745583176ea3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276575/

Comments