MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
SHA3-384 hash: c1c83f7feedd811fd2d46086d555fd3264918f7b51229a1f9f7af07afe5896a32d8d2c186f250c99e8b22a7a390db65a
SHA1 hash: d128f77a5da4f701fd56dad96e6dc6943ba77804
MD5 hash: b00d44424df371b0711269a593eca3fa
humanhash: snake-sodium-high-skylark
File name:7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
Download: download sample
Signature AgentTesla
Create hunting rule
File size:920'576 bytes
First seen:2023-10-12 09:50:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:X1FFeYP7YDn76jtojh+t2JkKK9bftmjF/SdOGr7:X/FFzY/6S9bK9bftmjFqHv
Threatray 242 similar samples on MalwareBazaar
TLSH T1A815DF6C7770719EC497C8FE9A585D68E6F1746A474B8303B12366BE9A1E3D2CF001E2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71e0cccce0ecf871 (5 x AgentTesla, 2 x SnakeKeylogger, 1 x PureCrypter)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
Verdict:
Malicious activity
Analysis date:
2023-10-12 09:48:40 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/338fff67-93ea-4eca-be2f-35041ce1d16f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453733/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed strictor
Link:
https://www.filescan.io/uploads/6527c1864a70eb0012f7f098/reports/ea04b047-0d43-4731-8a42-de24979fb233/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ef7f30a-69f1-48f5-8de4-2eeef24a1159
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324541
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324541 Sample: wY5bYZ8yXX.exe Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 42 sh003.webhostbox.net 2->42 44 api4.ipify.org 2->44 46 api.ipify.org 2->46 52 Found malware configuration 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 8 other signatures 2->58 8 wY5bYZ8yXX.exe 7 2->8         started        12 kLZCAdvxb.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\kLZCAdvxb.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp3408.tmp, XML 8->40 dropped 60 Detected unpacking (changes PE section rights) 8->60 62 Detected unpacking (overwrites its own PE header) 8->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 72 2 other signatures 8->72 14 wY5bYZ8yXX.exe 15 2 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 23 8->20         started        28 2 other processes 8->28 66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 22 kLZCAdvxb.exe 12->22         started        24 schtasks.exe 12->24         started        26 kLZCAdvxb.exe 12->26         started        signatures6 process7 dnsIp8 48 api4.ipify.org 173.231.16.77, 443, 49714, 49716 WEBNXUS United States 14->48 50 sh003.webhostbox.net 162.241.27.12, 49715, 49717, 587 UNIFIEDLAYER-AS-1US United States 14->50 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->74 76 Tries to steal Mail credentials (via file / registry access) 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 34 conhost.exe 24->34         started        36 conhost.exe 28->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 18:28:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnx5gdwhtpiy7xio634yvlsqmvcyj24dnwzsacuhbvqdkc6vwz6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de
AgentTesla
4b3919bc8ab3c523d2cc6c48a0279cf72d39de65e3ef428b922461f833e6ad4d
AgentTesla
5c052358e586f6c13f6b87a424648e4a36629f3998cb90baf6372e1ce37b6920
AgentTesla
861858ded7f88ccc9998eb6286cf9376fe7509a04901808bc5a3d35b076412a6
AgentTesla
be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89
AgentTesla
c76afbbf6fa00b8a5a2826a1104bb2b6468e6df5610e596f737086687ab96ff8
AgentTesla
ce3a3c9f22255146152575aa50fc9f5f1ef3f8c96b9b94cd766301045f846612
AgentTesla
e068262e4c1807050558428bab480871a43ceb983ab6c427454ffcb1a205aafa
AgentTesla
ebf0eb7fbb57169b6d1584235c63321857ca13207ba40e374aa8c6540da1ea74
AgentTesla
+ 232 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231012-lvgqmsbf7v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a655be43f79d44bf3e6720e6e1aa99b8fd94785cd46707d9a0dd48a10e4d20c8
MD5 hash:
7c2c98a1bc1af93e1bc1e0c933915b8e
SHA1 hash:
c5c3a2e553fdfa9010cf11b582fe3399c5551ffd
Link:
https://www.unpac.me/results/d92a93cb-a1de-4427-9429-15e67e4351e5/
SH256 hash:
c018b283b9f3ffc2bc235627e6139d6807e2dc34a63b41761fc85ffe70e32881
MD5 hash:
0f1e3472b988775b3876e3a95447551e
SHA1 hash:
4931e7080d8691772e9726e045a8b66bde8f8253
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/d92a93cb-a1de-4427-9429-15e67e4351e5/
Parent samples :
ce5546e8bc7a298f9bd3506d36462eaf20f2d10f12605db2784f40b21d2207b0
2ce23f32cc6773a978869f6ace53a7ea4a441cab0ebb6ee0063faa57c6fe1625
034cc3d5fbbc537705c747c03967c9c52cfaa04554065fd050cdd78de60105ec
3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de
7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/d92a93cb-a1de-4427-9429-15e67e4351e5/
SH256 hash:
0d6a63fc3d2880d0189a5831a7b78bfdb54dd0df98250adcf2de6ace07f47dc0
MD5 hash:
6aec969fd4bdb213475784442bdb4c88
SHA1 hash:
0555f0e2225b5e3322241070087c78c4c4d2c998
Link:
https://www.unpac.me/results/d92a93cb-a1de-4427-9429-15e67e4351e5/
SH256 hash:
7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
MD5 hash:
b00d44424df371b0711269a593eca3fa
SHA1 hash:
d128f77a5da4f701fd56dad96e6dc6943ba77804
Link:
https://www.unpac.me/results/d92a93cb-a1de-4427-9429-15e67e4351e5/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b6fd30ec79b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/453733/

Comments