MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f
SHA3-384 hash: 123f15e25ab83df054d4eea8008dc29e7cff8b5096859746fb9cf432f85035c25d77990f610845862d346bdfd5320adb
SHA1 hash: 4fac2e09dbebab0b88530b9ec179fb402eee367c
MD5 hash: 076d74658cd68fbb94ae2e02910cac76
humanhash: illinois-batman-nine-football
File name:COA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:835'072 bytes
First seen:2023-07-20 09:56:14 UTC
Last seen:2023-07-20 13:01:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:gWmFSMrOEgqn+lALlUgCZpAB0hviM40qEu462txQzmF6KvzkQmvgS6:grFzngGnLlULBn45E6C6z9OkQmoS6
TLSH T139057D9B31B8C6C7E55D21B1B4224279C8E99C3F61CED74A2724F9A826D93ED0054FB3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon cccc82e0b0f06402 (3 x AgentTesla, 1 x MassLogger)
Reporter cocaman
Tags:AgentTesla exe QUOTATION

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
COA.exe
Verdict:
Malicious activity
Analysis date:
2023-07-20 09:59:01 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/bfa33964-2aa1-48e8-b2a0-0990c839a22d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/425932/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.9823.2210.20944.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/64b904ef7a9c6ddebf0bdaa8/reports/5ad8e477-ecb3-4877-8971-1abef1334215/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2966703e-19a9-4b0e-a048-b97098c1d62b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276633
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276633 Sample: COA.exe Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Sigma detected: Scheduled temp file as task from temp location 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 3 other signatures 2->42 7 COA.exe 6 2->7         started        12 VABSpTX.exe 2 2->12         started        process3 dnsIp4 28 192.168.2.1 unknown unknown 7->28 22 C:\Users\user\AppData\Roaming\VABSpTX.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp489C.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\Local\...\COA.exe.log, ASCII 7->26 dropped 44 Uses schtasks.exe or at.exe to add and modify task schedules 7->44 14 RegSvcs.exe 15 2 7->14         started        18 schtasks.exe 1 7->18         started        46 Multi AV Scanner detection for dropped file 12->46 48 Machine Learning detection for dropped file 12->48 file5 signatures6 process7 dnsIp8 30 mail.napco-pharma.com 198.38.88.80, 49694, 587 SERVERCENTRALUS United States 14->30 32 api4.ipify.org 173.231.16.76, 443, 49693 WEBNXUS United States 14->32 34 api.ipify.org 14->34 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->52 54 May check the online IP address of the machine 14->54 56 2 other signatures 14->56 20 conhost.exe 18->20         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 08:39:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pozzarwci7yqrysw6z5xvwte54wrvf44qi6fasotwzoluyy23zxq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230720-lyxk9sfc47/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
dda993e1ff1ac781704223fc9e4e70a12d0b142966f61670ad8f3c46da014c9a
MD5 hash:
89335bd0fd979ba9314d8dd68d267d7e
SHA1 hash:
d2923191779b5d4bf55998ed085a28b1ade81539
Link:
https://www.unpac.me/results/0488937a-9296-4c05-9c3b-466bd7883b4b/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/0488937a-9296-4c05-9c3b-466bd7883b4b/
SH256 hash:
cafeeb0da3ca600c76735df8d3877638ae83d6b571b9de70e7329d1e19b29ed9
MD5 hash:
ff6060392bfd0ae59c90399420b8da18
SHA1 hash:
147fe8759278c070842756e04f06e79566342d27
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/0488937a-9296-4c05-9c3b-466bd7883b4b/
Parent samples :
7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f
7b8b1dc1843eb601fea0db72ac0d4263a5e4a0517ef8a138e20d81950e5686c3
SH256 hash:
7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f
MD5 hash:
076d74658cd68fbb94ae2e02910cac76
SHA1 hash:
4fac2e09dbebab0b88530b9ec179fb402eee367c
Link:
https://www.unpac.me/results/0488937a-9296-4c05-9c3b-466bd7883b4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7edaf845a36914859d373e74ffffec17af5c75a35c1e0bb9f0aa842401a016e5

AgentTesla

Executable exe 7bb39046c247f108e256f67b7ada64ef2d1a979c823c5049d3b65cba631ade6f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7edaf845a36914859d373e74ffffec17af5c75a35c1e0bb9f0aa842401a016e5
Cape
Cape
https://www.capesandbox.com/analysis/425932/
  
Dropped by
MD5 f7e3726f0758de244474cf21d4cb9b1c

Comments