MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f
SHA3-384 hash: 7e696900987e2752ad0c6379cb1778c9f6c3ecc9d93f15e07822888ffab36d422d4428f53bddffe1d41c4092b4c5d163
SHA1 hash: ca0143660476d160dd09019c55f0840cfc8f8644
MD5 hash: 8ac8b1021095bf02fc6a5b109950e222
humanhash: white-pluto-crazy-berlin
File name:Customer Statement 20202387.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:659'968 bytes
First seen:2023-06-21 12:58:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:omGpdvDhH62MmgPF6/HhT1rywFVAy34sq9ZkuLZfAp01urSJwWDjpIEyWgIs:4dvDcAwET1ryJ/ZtZIp0Mr49pu0s
Threatray 5'532 similar samples on MalwareBazaar
TLSH T1B5E41204723F8B22E6BB83F5D121127913B72E597512E7AE8ED770E72425F090252EDB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Customer Statement 20202387.exe
Verdict:
Malicious activity
Analysis date:
2023-06-21 13:00:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3c6b1c1-62e0-40b1-bcf0-549b5d33b2b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401357/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.64740.9331.21693.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6492f41999f0c0cb093339b4/reports/872f4bb9-3562-4366-900e-260c2007b95f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8bc26db3-3256-4e67-9064-e6bbfab0e0a3
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259016
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 07:00:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=prmik6n2u5uvqqlahvwvwlf5blu26h7utpqa35vejpaybnml5nxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
393d94791809b4059141bd1d6de789b431a71eb544bc7f7b0d7a1700c042ece5
AgentTesla
423562e381586b1c4169d9c3c00014ef14c69bc546897a47ad7a301ac6c7c3c1
AgentTesla
45e42d2b33ab14110170565f964d48f19571206f7fbe61c1f222603e0fec2015
AgentTesla
5206fb34c3360635f7a152e0f3f336dafbca03f1e3d2bb957b8cb9adc726240e
AgentTesla
7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0
AgentTesla
8aa6646e0d7997fc15f5b67cfddb0aef3d1ca580c5dabf0396e6c62fa666ec70
AgentTesla
9197cc85a9c5fc3d9463da236c1c96551a0e805bdfd2d3c133a479f9b2ae6d0a
AgentTesla
b4deb5c9d4417c4cc42bdb2c388f6c0552115e6df80b86e680a4aa08a3c0df15
AgentTesla
c1b407328dfb3df00e409a9c3661b8ed81aea549322104e30929f1d669404d06
AgentTesla
+ 5'522 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230621-p724wsag8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1120603697681022976/cQBs9ZGgdbiPVxntOouaILbrLL6RuZSgktjWFQKp9_fxlO8dYgaR5Fq25_nGTPO0w6Ae
Unpacked files
SH256 hash:
bdb7349085b37fe8197e0505c39fec07423b640a7551df5f2f08b2d68a37da42
MD5 hash:
d4f7baa48cc0d034b7910fdda6200764
SHA1 hash:
fd967af655c06dcac9d952f21c3e1cd076d88fa9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4d4116b9-50b9-46ca-a3b6-98a89c69af7e/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/4d4116b9-50b9-46ca-a3b6-98a89c69af7e/
SH256 hash:
e264f0c940c3c87c819983c3929680352662b0a457f33850f0385980346ba761
MD5 hash:
d6dc2957bd369ab5eed2c0827c8fa328
SHA1 hash:
be10d8ab5288ea35cbe0c5c344ca33e0bfc0dd98
Link:
https://www.unpac.me/results/4d4116b9-50b9-46ca-a3b6-98a89c69af7e/
SH256 hash:
2ec9f5fba1e251583d2f7e83f091ba26aadc7dca6dbe5a48054d1ba9120ac23f
MD5 hash:
d9b29b4381873474c2623c149d1a0315
SHA1 hash:
a5d1aedc4a22f078b5f61eb845b92c51e0d8a495
Link:
https://www.unpac.me/results/4d4116b9-50b9-46ca-a3b6-98a89c69af7e/
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
Link:
https://www.unpac.me/results/4d4116b9-50b9-46ca-a3b6-98a89c69af7e/
SH256 hash:
7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f
MD5 hash:
8ac8b1021095bf02fc6a5b109950e222
SHA1 hash:
ca0143660476d160dd09019c55f0840cfc8f8644
Link:
https://www.unpac.me/results/4d4116b9-50b9-46ca-a3b6-98a89c69af7e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c588579baa7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401357/

Comments