MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d16e17bac79f1f43967b698f3f47d0e3f9007198876f9118865e0a7e87315bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d16e17bac79f1f43967b698f3f47d0e3f9007198876f9118865e0a7e87315bf
SHA3-384 hash: eb15f5d6ef5a51519fdd530f656b74b1dc41fa8a6de6969e58f3e7cfc768d310479b560c7d0ed5137ea3f687ea6bf3d6
SHA1 hash: e3ffc038f6671e33fa4309a4e49c3b1a74a78c38
MD5 hash: ad0eb73290c3391f694c729059163025
humanhash: carolina-alpha-oregon-nine
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:807'936 bytes
First seen:2020-09-10 14:32:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 107c3368e512cbae16bf262df208efd9 (8 x AgentTesla, 5 x MassLogger, 3 x Formbook)
ssdeep 12288:5Am53b7XYJIdqam73S9gTmskNIpC6yr949IsSQ9Ibo1y/zL:aQ3gIdrbm8rGIsSQWb
TLSH 3C056C26BFE1C873F0F31A3C5C476E74981A7DD32928595AFBE8DD0C8E296513929087
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Exports Manager<gopi@alangroups.com>
Subject: Payment For Outstanding Invoices
Attachment: PO.gz (contains "INVOICE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58465/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BScope.Trojan.Wacatac.16246.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/463331
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284065 Sample: INVOICE.exe Startdate: 10/09/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 7 INVOICE.exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 49 Detected unpacking (changes PE section rights) 7->49 51 Detected unpacking (creates a PE file in dynamic memory) 7->51 53 Detected unpacking (overwrites its own PE header) 7->53 55 7 other signatures 7->55 12 INVOICE.exe 4 7->12         started        16 notepad.exe 1 7->16         started        18 INVOICE.exe 7->18         started        20 INVOICE.exe 10->20         started        process5 dnsIp6 37 hybridgroupco.com 66.70.204.222, 49733, 49734, 587 OVHFR Canada 12->37 39 mail.hybridgroupco.com 12->39 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->65 67 Tries to steal Mail credentials (via file access) 12->67 69 Drops VBS files to the startup folder 16->69 71 Delayed program exit found 16->71 73 Writes to foreign memory regions 20->73 75 Allocates memory in foreign processes 20->75 77 Maps a DLL or memory area into another process 20->77 22 INVOICE.exe 4 20->22         started        26 notepad.exe 1 20->26         started        29 INVOICE.exe 20->29         started        signatures7 process8 dnsIp9 33 mail.hybridgroupco.com 22->33 35 hybridgroupco.com 22->35 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->57 59 Tries to steal Mail credentials (via file access) 22->59 61 Tries to harvest and steal ftp login credentials 22->61 63 Tries to harvest and steal browser information (history, passwords, etc) 22->63 31 C:\Users\user\AppData\Roaming\...\Z.vbs, ASCII 26->31 dropped file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d16e17bac79f1f43967b698f3f47d0e3f9007198876f9118865e0a7e87315bf/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-09-09 16:38:44 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=puloc65mphy7iolhw2mph5d5by7zabyzrb3psemimxqkp2dtcw7q._file
Verdict:
unknown
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200910-pqjm8x27wa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/7d16e17bac79f1f43967b698f3f47d0e3f9007198876f9118865e0a7e87315bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 29acfad0f3c009a0d4c6ebdff1c69833f29a690c00ade076894a2db317f56dd5

AgentTesla

Executable exe 7d16e17bac79f1f43967b698f3f47d0e3f9007198876f9118865e0a7e87315bf

(this sample)

  
Dropped by
MD5 ce1f75afc859216330df141f3aa695b9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58465/
  
Dropped by
SHA256 29acfad0f3c009a0d4c6ebdff1c69833f29a690c00ade076894a2db317f56dd5

Comments