MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb
SHA3-384 hash: c6ce867fff34d733410cd0c2dd03fb60dba50dd266bd7814a1a804e04871b948cce9efab09626f982635bf3fd33c6291
SHA1 hash: bfe2c041af8975d774da1c7da4825759174cd990
MD5 hash: e8af0f15ab522536c2effe7171cbc2a9
humanhash: east-hamper-friend-autumn
File name:invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'191'936 bytes
First seen:2023-03-14 16:04:36 UTC
Last seen:2023-03-14 17:28:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:UkSgNEtesDsnjaXU64weBMjdHqmZ/uidZiEx5hhM9BTmEM2buS/+I0Et7SoeXqf8:U/bOK1mzDWsxCQ513qticY8s94
Threatray 1'188 similar samples on MalwareBazaar
TLSH T19745392439FA502AB173EFAA8BE479EADA6FB7733B07645D109003864723941DDC153E
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
3
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-03-14 16:06:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6365cfeb-1910-42fe-b79b-7c456b9b7f0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374300/
Detection(s):
SecuriteInfo.com.W64.MSIL_Agent.EXI.gen.Eldorado.16345.1733.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64109b3106c49bd8b6b5bcf6/reports/27f993b8-51ff-4c1b-89f1-ea92e4edb496/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37177bda-7b39-4d19-9f06-31e45132824d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193484
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 15:50:45 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmfydql57ofqkpem62crta33pl672exjljdms7xyq6ebyz2ahh5q._file
Verdict:
malicious
Similar samples:
11eeb77d418ef5d9b701e2417ae0dc8cc73b74e65325e2ee6f371c7c17737ab5
AgentTesla
2267fac6e4bcace94d9ed232cc4ba7e128424e80c5730ea38f23610c11bdc168
AgentTesla
289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92
AgentTesla
28ff484ca36b3a1f5d7f59a25e947e9a6b12ca34214f9bcfca01cee5745e6b6a
AgentTesla
36f8d4d85b7d03fdbd622909d93638fa20bbdcc1e832591b82dbe7f710ab0be0
AgentTesla
6159a8ba420cbed9d0ca9abb371cd8b1e600c0e2fd7763f32cec6917605d51d9
AgentTesla
a0bf8575052b720932ab96605b4622a07453b1ace7cd73a8f262ca3e7fa7317a
AgentTesla
bc9a80c327839012274d763d66186497685a6b73e0b20eea73c720d61f5c9407
AgentTesla
d69974ab2591e06f55c58786be3fc436fe992c501dd37724869747e2369c909d
AgentTesla
fb8fdb08cf7984a3bac0cc7daeea3790a92306467543cf556945fc479a165dd8
AgentTesla
+ 1'178 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230314-tjhgssad51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Uses the VBS compiler for execution
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5711515928:AAGr5pLEJgjvMf5yBzvNPjftYdw-oXyzKzg/
Unpacked files
SH256 hash:
7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb
MD5 hash:
e8af0f15ab522536c2effe7171cbc2a9
SHA1 hash:
bfe2c041af8975d774da1c7da4825759174cd990
Link:
https://www.unpac.me/results/efdbdb40-c4b0-43b2-946d-44db7dd5620a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b0b81c17dfb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e

AgentTesla

Executable exe 7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/374300/
  
Dropped by
SHA256 66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e
  
Dropped by
SHA256 622d3da256fa5d0281b31851fffd47416f59b5ce523564d8e431d28015331fdb
  
Dropped by
MD5 973f07dd0c89cc52bca20eb9fc1395b6
  
Dropped by
MD5 01f106c15a4ec6185f23a9e4be85b176

Comments