MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78f4c1b57aeb42e553d83ffdcfdb1dbbc9ab906fa96682d83b6284c6f1fcc5a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78f4c1b57aeb42e553d83ffdcfdb1dbbc9ab906fa96682d83b6284c6f1fcc5a4
SHA3-384 hash: f6d3035a1534aa5c924230ffb63f7ed691a2103a092379ce56b97c4c378e387a3ce4baeccfed05eb786194be46e9d7da
SHA1 hash: eeae340398f8fe66dacf0e3276a1112451f53c96
MD5 hash: 25275fa3bb32481a1ccd978dc0eb1180
humanhash: solar-xray-arizona-lemon
File name:Remittance Transfer form - ppt.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:902'656 bytes
First seen:2022-07-12 08:17:52 UTC
Last seen:2022-07-12 08:47:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:rslK0oxqm1geixJlaPDA+rUu3rpJ8wq81cHqXJr6GH+uhk0HIojjm9kGwYjtGNyF:AB2FlDTr9L8wqqWCr6GH+ek0bssNa
Threatray 19'053 similar samples on MalwareBazaar
TLSH T18315F129FF66CE52C2584B36C5F70B5813749772C213EF8F2BE902292D233966C86995
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 18a219d4d4198a10 (20 x AgentTesla, 12 x Formbook, 10 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Remittance Transfer form - ppt.exe
Verdict:
Malicious activity
Analysis date:
2022-07-12 08:23:51 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/34c464bc-2390-41ec-90c4-893d633c4bd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286477/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.23869.23891.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/62cd2e778cb06ef4b0a13ac7/reports/8e8b52e5-223b-45aa-9b77-05278d6450b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef13e919-8cc8-4a30-b3d0-c7752813c974
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029226
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 661721 Sample: Remittance Transfer form - ... Startdate: 12/07/2022 Architecture: WINDOWS Score: 100 57 mail.atriaholdings.co.zw 2->57 59 atriaholdings.co.zw 2->59 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected AgentTesla 2->73 75 10 other signatures 2->75 8 Remittance Transfer form - ppt.exe 7 2->8         started        12 SISuXKF.exe 2->12         started        14 SISuXKF.exe 2->14         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\VzPgFxEHngftP.exe, PE32 8->43 dropped 45 C:\...\VzPgFxEHngftP.exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmp98AD.tmp, XML 8->47 dropped 49 C:\...\Remittance Transfer form - ppt.exe.log, ASCII 8->49 dropped 77 Adds a directory exclusion to Windows Defender 8->77 16 Remittance Transfer form - ppt.exe 2 11 8->16         started        21 powershell.exe 25 8->21         started        23 schtasks.exe 1 8->23         started        79 Machine Learning detection for dropped file 12->79 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->81 25 powershell.exe 12->25         started        27 schtasks.exe 12->27         started        29 SISuXKF.exe 12->29         started        signatures6 process7 dnsIp8 51 atriaholdings.co.zw 149.255.59.21, 49787, 49795, 49807 AWARESOFTGB United Kingdom 16->51 53 192.168.2.1 unknown unknown 16->53 55 2 other IPs or domains 16->55 39 C:\Users\user\AppData\Roaming\...\SISuXKF.exe, PE32 16->39 dropped 41 C:\Users\user\...\SISuXKF.exe:Zone.Identifier, ASCII 16->41 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->61 63 Tries to steal Mail credentials (via file / registry access) 16->63 65 Tries to harvest and steal ftp login credentials 16->65 67 3 other signatures 16->67 31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78f4c1b57aeb42e553d83ffdcfdb1dbbc9ab906fa96682d83b6284c6f1fcc5a4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 08:18:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pd2mdnl25nboku6yh7647wy5xpe2xedpvftifwb3mkcmn4p4ywsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba
AgentTesla
3f356b2b27976a0b509fff133a75e59f45dd7bb2c2060b2ee98cc122449ce389
AgentTesla
43e94df274c3b9b46fd384ad2c5943bdd5d209bce84414e6a7e42383922dec67
AgentTesla
766c317f32e6d60a1eafbb6df187189a28a5acb8e7bfe4448204c9d7c8363916
AgentTesla
85dbaf3c1ef1403904104404461f1a40b9a0382c30babdc8db98c5dd38d1c7f7
AgentTesla
a6a072d01087b5f8c84a3bd029e5aaba7641803bdbfcc18d2593d6d96e0a3226
AgentTesla
caf14f719b9be20de7aa9789d5c1690f5ec483351d9718f247a372911d6633ae
AgentTesla
d89b1f5ea643700ba70441250f2e60045fb25c0d25fb5b9193f96995a07ecc2c
AgentTesla
e6b1f70fcfbfbe703a1b94fb1c779690847a305ab33b0f9c8ed449d97fd89042
AgentTesla
+ 19'043 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220712-j6958acec3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7ce302f82e57a3a65eea046d56181ae508cab184c189a35e21b21de4da1379b3
MD5 hash:
3aec7e5e093e3620e0d74bf8dfab3088
SHA1 hash:
b58a4e6160ee56f11a223b0b0d55ba1f77057e9b
Link:
https://www.unpac.me/results/63ee9fe0-9930-4eea-802f-3ec4b50474f2/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/63ee9fe0-9930-4eea-802f-3ec4b50474f2/
SH256 hash:
5c48e7b4f2c87b5078d1c509c22c2f2f6daac21d041996f60a5a14d812fee499
MD5 hash:
6d422bec7a72b79a176bc94ebbc448cc
SHA1 hash:
4bb60342c184df89df7e552e00f4f58e1a771dfe
Link:
https://www.unpac.me/results/63ee9fe0-9930-4eea-802f-3ec4b50474f2/
SH256 hash:
0f2e1888493c740582687c5edc4765707eef86ef7b4af91b378e9b8d22ceb52d
MD5 hash:
1b3d3e824b0539f1e477352e438b0c25
SHA1 hash:
37d59753de6b0e6f7140210a1c3ab953107e36b5
Link:
https://www.unpac.me/results/63ee9fe0-9930-4eea-802f-3ec4b50474f2/
SH256 hash:
b13976488d58387b5d72b6ab3acd505641bb8661d7fd83827e71db364a6ff4b6
MD5 hash:
4e2b3ad4ec086892c344d746ad07b82f
SHA1 hash:
c21cf8677bb58062c7bf756e1097163f7b5262e1
Link:
https://www.unpac.me/results/63ee9fe0-9930-4eea-802f-3ec4b50474f2/
SH256 hash:
78f4c1b57aeb42e553d83ffdcfdb1dbbc9ab906fa96682d83b6284c6f1fcc5a4
MD5 hash:
25275fa3bb32481a1ccd978dc0eb1180
SHA1 hash:
eeae340398f8fe66dacf0e3276a1112451f53c96
Link:
https://www.unpac.me/results/63ee9fe0-9930-4eea-802f-3ec4b50474f2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78f4c1b57aeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78f4c1b57aeb42e553d83ffdcfdb1dbbc9ab906fa96682d83b6284c6f1fcc5a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 78f4c1b57aeb42e553d83ffdcfdb1dbbc9ab906fa96682d83b6284c6f1fcc5a4

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286477/

Comments