MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 22 File information Comments

SHA256 hash:	7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65
SHA3-384 hash:	81304c2238cc9a9ae17d29377eefda53f664051b3ce59bba09d598d684580e970c44a9d01b06543dd0703d5199e2e613
SHA1 hash:	a163cc67910673826250abdf968700db8ad1083d
MD5 hash:	d6e1da58845f92291a7a8cc36a7e7996
humanhash:	september-video-quebec-seven
File name:	SecuriteInfo.com.Win32.PWSX-gen.9876.9886
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	737'280 bytes
First seen:	2023-11-14 08:31:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:8xpQLlfkU8GY+HqarSjZKUKNfBk3wfYJKKpJ/3SCCTKioJ8gajC:UahL1SGde3oqULTKi/g
Threatray	126 similar samples on MalwareBazaar
TLSH	T101F4125533699926E87D02F9B46611C057B1FE13A191E35D0CE77B9E2BF37808B02BA3
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.9876.9886

Verdict:

Malicious activity

Analysis date:

2023-11-14 08:33:29 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/518d9844-4e0d-4139-8e11-ad98a6c1269c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/458449/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.9876.9886.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Restart of the analyzed sample

Launching the default Windows debugger (dwwin.exe)

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin masquerade packed

Link:

https://www.filescan.io/uploads/655330848dacd6e41c323a08/reports/859348e0-f333-4d53-a4b1-859239872184/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0fe3e813-0fa9-47ed-bbef-cba3ab18667f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1342166

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-14 06:12:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=picn26et7cpo76qn6vjusp42knt36chaihcjrgei5bgxabvgljsq._file

Verdict:

malicious

Label(s):

formbook

agenttesla

AgentTesla

3e419261ca6ed4120e6fe81d8733639c83bea1927940ba6f5e86874789c7c64c

AgentTesla

470e65ac1ca936571cd045b69b6cd2d203b075d3e53f9be24afd79de4a2d6856

AgentTesla

97863fc07fc27a0f99a2d434e307d7530364bfc137f8fd36a68674f1eae3533f

AgentTesla

b5aae370f7b29f63c9dd24562d16b7a77bda593fbe4d2f316046cdb444e343f6

AgentTesla

d3e71a337d58b6ae1f49be4a5d89258ce11dc33b86c0a6f3ca93c16170dc500c

AgentTesla

f45cce1292aa30dc88decc03fe81e7c10a64e4302eb1e3faa81c385e36d2a1ff

AgentTesla

+ 116 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231114-kesmjaac55/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Unpacked files

SH256 hash:

891dbd2c951460e50ccaf5432a484308830c60301d6bdf4b46c6f32d67587239

MD5 hash:

be973c22a483efcaad7a1a0a966346a3

SHA1 hash:

5b5fc6834fa90c6b2796e451abbb5b493d50be5e

Link:

https://www.unpac.me/results/bfbff908-1418-4ed5-b560-42b7dcbb635a/

SH256 hash:

ff83bf12a3c8d4d680dcfe30d1ece0de08992fc178d0f9c43e4e5fa43c580ab7

MD5 hash:

3e451521373dd03444a2dd5cb711fa77

SHA1 hash:

a7069336240fb6f51e385efebc41845f81300433

Link:

https://www.unpac.me/results/bfbff908-1418-4ed5-b560-42b7dcbb635a/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/bfbff908-1418-4ed5-b560-42b7dcbb635a/

SH256 hash:

76482f1dc9b0639dd6b2d762e09101875e207e8c60e146a43ca182a4c13d6afa

MD5 hash:

9561bc00330bfa400784c1b3b2075d0b

SHA1 hash:

b98f0014f428085dea5ea44108d64d9119e3d698

Link:

https://www.unpac.me/results/bfbff908-1418-4ed5-b560-42b7dcbb635a/

SH256 hash:

4d24c948447250bc1971ea4af37d4893633e34f8e655369d71c3952e9a85f5b5

MD5 hash:

5b2a028a06ff3412ae950c9c1d151f1e

SHA1 hash:

0529f1ac3eed201826bdc7681fe470b664eebd77

Link:

https://www.unpac.me/results/bfbff908-1418-4ed5-b560-42b7dcbb635a/

SH256 hash:

7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65

MD5 hash:

d6e1da58845f92291a7a8cc36a7e7996

SHA1 hash:

a163cc67910673826250abdf968700db8ad1083d

Link:

https://www.unpac.me/results/bfbff908-1418-4ed5-b560-42b7dcbb635a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7a04dd7893f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/458449/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample