MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc
SHA3-384 hash: 28887899032ca2194f7e4fea2218878331f52549b0954d24eb1a36130ae9c4be911a9683e1a4504ca77b023e3185f615
SHA1 hash: d4e35fe7a64fc5c8b289682e0e1e9597d02e40ea
MD5 hash: 04b30831cf0553642202a4c813850d4c
humanhash: ink-alpha-april-cat
File name:Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'077'248 bytes
First seen:2023-03-13 16:26:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8bSDbOtv1K8tUyZmMRxEy0g45HfmkLd2lzSjZi35MKzyhQTiGB/MSQC4p9NsjZ6F:8KukLscjMpMKNiG+EPAf9sWccCO
Threatray 92 similar samples on MalwareBazaar
TLSH T136357BC663358C09FE501D3E735564B3CE53CD89D8EBB29F2A83BD2564F914809CEA92
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-03-13 16:27:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b47cb906-a4eb-4131-b36e-5c2eb4a8da12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374089/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640f4e9d56d2bc8d80b738e0/reports/23b62c79-aeba-42bf-a4bf-6ce29db6d23f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70c8295a-840d-4298-a87b-ca7eb0038ae4
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192748
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 825648 Sample: Invoice.exe Startdate: 13/03/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 5 other signatures 2->49 7 Invoice.exe 7 2->7         started        11 dvLCFoBsY.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\dvLCFoBsY.exe, PE32 7->33 dropped 35 C:\Users\...\dvLCFoBsY.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp239C.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...\Invoice.exe.log, ASCII 7->39 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 Invoice.exe 2 7->13         started        17 powershell.exe 22 7->17         started        19 schtasks.exe 1 7->19         started        59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 21 dvLCFoBsY.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 dvLCFoBsY.exe 11->25         started        signatures5 process6 dnsIp7 41 mail.focuzpartsmart.com 162.240.214.202, 49704, 49705, 587 UNIFIEDLAYER-AS-1US United States 13->41 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->63 65 Tries to steal Mail credentials (via file / registry access) 21->65 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 15:30:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmk2q7lrgp2grza7itgvxwwseuxy3aeya5wg5ofclxg5wdmur7oa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06075b49f2b94cccbd7ffadc3fd0db2d2e47a4888f749cbb3685904146ff613a
AgentTesla
0c839aeb24cb1891e0e811643a0c1c59f4ed376c4160c7d40dcd20fd750dac0f
AgentTesla
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
AgentTesla
34295d7afd974fbf4786c737e60c28c8c1b8f2376465623e9ef49b7cedb26e71
AgentTesla
6f35b489ab7913d10901fc99d631d5aa310df2c1a24c67e89d9933b5ea603d98
AgentTesla
7558016ac4ac085644fa7f85465e331a1764edbc8bcc5baa16779e5595d8d678
AgentTesla
ae9f0a09b1f95cb4ef05dc51e749a6b33e641a67cbf7cafc6fef41dbbd5b7671
AgentTesla
d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128
AgentTesla
e7534a0a853b8f9adac6cdf14f130c09c955b913726507f28a18c1e6700820aa
AgentTesla
+ 82 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230313-txhpqadc2t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/356e5003-cf3b-4c83-9d0f-1d7ec181c585/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
15550c934df5f86c5586e88e88e02148856fd0d3cb7a398fa09272cde45f8e80
MD5 hash:
589c8239ea7a3d150d4c21478466c973
SHA1 hash:
7b72190ddc4badeb88877809df1ea2f48b0b6327
Link:
https://www.unpac.me/results/356e5003-cf3b-4c83-9d0f-1d7ec181c585/
SH256 hash:
3c6f6f354685884756d906e52914b1435437707c3c993c728aa35080d003d5df
MD5 hash:
e4161a64de75718d3752997cce3946a1
SHA1 hash:
673c3ce93cde273d194dd9255485cf5cf7bd17e8
Link:
https://www.unpac.me/results/356e5003-cf3b-4c83-9d0f-1d7ec181c585/
SH256 hash:
adce617de6cf0e3a755c4bfc5cb7ec629bdacc02e1933a19426745b47de322c6
MD5 hash:
d638a4cf72d8b9807135bfd0434b9f30
SHA1 hash:
5b8201c83c38bb136f977dd607b515fa8169f746
Link:
https://www.unpac.me/results/356e5003-cf3b-4c83-9d0f-1d7ec181c585/
SH256 hash:
2b1725a1d4b74a010922cd83d4c187e2aca403af51ee7af7b3d7590c3bc25b4b
MD5 hash:
5371c1f1d44a4ebb0e31b8f681342797
SHA1 hash:
1315d693a9701578b3ab325c8b05b84189086e5a
Link:
https://www.unpac.me/results/356e5003-cf3b-4c83-9d0f-1d7ec181c585/
SH256 hash:
7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc
MD5 hash:
04b30831cf0553642202a4c813850d4c
SHA1 hash:
d4e35fe7a64fc5c8b289682e0e1e9597d02e40ea
Link:
https://www.unpac.me/results/356e5003-cf3b-4c83-9d0f-1d7ec181c585/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b15a87d7133/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/374089/

Comments