MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
SHA3-384 hash: a4c36a927016ce7cf62ec111610dd8859f27ca17caacf15d709f2954ce6c4376201cb052dd32345239a0cbcfe9f25d3a
SHA1 hash: 928bba0214e7e44f12da24c6ae48d038b877abff
MD5 hash: 6d481784ddebd32b6a604a897874f25c
humanhash: wisconsin-burger-jupiter-mars
File name:6d481784ddebd32b6a604a897874f25c
Download: download sample
Signature AgentTesla
Create hunting rule
File size:999'424 bytes
First seen:2023-03-02 11:37:12 UTC
Last seen:2023-03-02 13:37:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:mMuWADz1KGNrcTQui7a9n6V1P1k0hKa79LbZgxFst7IB8OfbRS3xwMREvE+LfIJl:Sec29n6fPJKa7puxFste8ERS3PIw
Threatray 53 similar samples on MalwareBazaar
TLSH T1BC258DC637FCD162F4EBA1720A1421C93A29F957B212E13BA733BB559600BFF7689540
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e2....................doc
Verdict:
Malicious activity
Analysis date:
2023-03-02 09:37:25 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/d5089ad1-520d-4069-804e-f994f2947a07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371141/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.27084.27812.13621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/64008a9d2ea6b36966305d5b/reports/d08ae4a4-b2bb-4ec9-9d8d-7bf6d3099a55/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6ad0274a-6b51-4d12-9a8f-43aee430407a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185661
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 818528 Sample: e4FmOn66w9.exe Startdate: 02/03/2023 Architecture: WINDOWS Score: 100 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 Machine Learning detection for sample 2->55 7 e4FmOn66w9.exe 7 2->7         started        11 thHVOlYHyYRLoS.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\thHVOlYHyYRLoS.exe, PE32 7->33 dropped 35 C:\...\thHVOlYHyYRLoS.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp6026.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...\e4FmOn66w9.exe.log, ASCII 7->39 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 RegSvcs.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 21 RegSvcs.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 RegSvcs.exe 11->25         started        signatures5 process6 dnsIp7 41 api4.ipify.org 64.185.227.155, 443, 49696 WEBNXUS United States 13->41 43 api.ipify.org 13->43 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->65 67 May check the online IP address of the machine 13->67 69 Tries to steal Mail credentials (via file / registry access) 13->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->71 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        45 173.231.16.76, 443, 49700 WEBNXUS United States 21->45 47 api.ipify.org 21->47 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 05:05:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 25 (88.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pszalqvtih2ppamve5omg7fqpt33esqpghyjmomjno4xuqjq4qya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06cd81198082d8438712ab708be1ef02d57bfc3a5bc65553aa5be350f0cd6081
AgentTesla
19146932c4a283f9e7580b7c6c729f81e1e3c7ad6012556f0b7059d8c4af559e
AgentTesla
34ee1f687542eedbad8004e9f6861d4842497c08d5374bf6ea50a8af633ebc22
AgentTesla
51a4fb3b2148da43d34a86a9af619af67ff8611f8bb7448e4edcb9d3207ca1b2
AgentTesla
79477d248daad8ef7e2470ec40e066f55e945d343b8bfe778359646b34182d91
AgentTesla
b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a
AgentTesla
b531b9a7a424d41fe022f7f4a31aa7f764e8d0bc33793b9d271a8b5f90ac9378
AgentTesla
c64e816686cc06a37e310436359bf20fe1ca84d4daf75045fa569c4753ff98bc
AgentTesla
d7ea087df6c4c70925ed7a251405e8c1133654ad5ad5e3e3c8033a5f0c8f492a
AgentTesla
f70bfb83ca80a3a2af60a293e9842c87c36592b3bd5eb861e10496a8faf9376c
AgentTesla
+ 43 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230302-nrqkgscd31/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
6721cb306d299c2ce2592036f9726ece319d86eb2a13fbe166fdda408eb77143
MD5 hash:
9838884c0edd8a948beb06d54f286e20
SHA1 hash:
c170a3f4075cd9fae916ec1b46f6dd2aa1b0c52e
Link:
https://www.unpac.me/results/aca93203-5476-4a9e-a754-9c21e2fe5b2d/
SH256 hash:
1bab001c090f2f208e39247f8eeaeb77a0740bc9be7fa755cd57a863b3d22dd3
MD5 hash:
90b3109cf9cc5342015fc1583a78b282
SHA1 hash:
bdddff1c96296a0dc9f8d808e3b2d5829a15d2d2
Link:
https://www.unpac.me/results/aca93203-5476-4a9e-a754-9c21e2fe5b2d/
SH256 hash:
8bef0ec74b927ac081ee6de8852a0f6355e12f2fee84c559973143a440be6e83
MD5 hash:
5f722a6c12149fed72723488b5d960f8
SHA1 hash:
8e8379dff4eb546fec46811332af009bb972cbcf
Link:
https://www.unpac.me/results/aca93203-5476-4a9e-a754-9c21e2fe5b2d/
SH256 hash:
6396c473fcfd75e452a7b3d68d5dd2c94d6f80c97514ba0f182d556e94c7faf5
MD5 hash:
6986c676ac0e468bf4b27ac89bea0ea4
SHA1 hash:
3abdce6bddbb9394e19a47fa91ea473d964144b9
Link:
https://www.unpac.me/results/aca93203-5476-4a9e-a754-9c21e2fe5b2d/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/aca93203-5476-4a9e-a754-9c21e2fe5b2d/
SH256 hash:
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
MD5 hash:
6d481784ddebd32b6a604a897874f25c
SHA1 hash:
928bba0214e7e44f12da24c6ae48d038b877abff
Link:
https://www.unpac.me/results/aca93203-5476-4a9e-a754-9c21e2fe5b2d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7cb205c2b341/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2554993/
Cape
Cape
https://www.capesandbox.com/analysis/371141/

Comments


Avatar
zbet commented on 2023-03-02 11:37:18 UTC

url : hxxp://15.237.37.205/723/vbc.exe