MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d8781f3e909a3ad03ec7e4bba80a4fc1128d296117921277380ee55d46b3700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d8781f3e909a3ad03ec7e4bba80a4fc1128d296117921277380ee55d46b3700
SHA3-384 hash: f3644c96a424b1e81b0605b0707caf9291468925e12e543131f53c0dc31c931a4a71b802d6b2fbd0c7064f6d6499294a
SHA1 hash: 5cba3a85ce11120eb1f1f319e13d40e7384e6442
MD5 hash: 3c1a57ff54751f3bb508cc1abe4f6b40
humanhash: iowa-red-beer-saturn
File name:Purchase order 3812_xls_.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:842'240 bytes
First seen:2023-01-24 09:24:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:QxEOxdueHm0Y12iNUdr+FJP8XeBJE0DjjG2V4HKkWt94w9H4/ZOtG2v:QxEO7Hk11GF+F58u/fa2V4ibnYRyG
Threatray 23'114 similar samples on MalwareBazaar
TLSH T19B057CAA327A161AF5EA53FCD080500C43B2981E995EE26C1C82A0F595F9F5C4F1FB77
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4cc04a4c5c5a0004 (7 x AgentTesla, 4 x Smoke Loader, 2 x DarkCloud)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase order 3812_xls_.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 09:28:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39bc04ec-754f-4210-b353-48d0c8ba67e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356332/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/63cfa3f189bd67c10fd9b26d/reports/83a717c6-4fc4-4e84-a046-715958eacc00/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a749427-a015-4147-9f4b-9a5c534f7140
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157763
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790504 Sample: Purchase order 3812_xls_.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 11 other signatures 2->62 7 IExfgo.exe 3 2->7         started        10 Purchase order 3812_xls_.exe 4 2->10         started        13 IExfgo.exe 2->13         started        process3 file4 64 Multi AV Scanner detection for dropped file 7->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->66 68 May check the online IP address of the machine 7->68 74 2 other signatures 7->74 15 IExfgo.exe 14 7 7->15         started        32 C:\Users\...\Purchase order 3812_xls_.exe.log, ASCII 10->32 dropped 70 Adds a directory exclusion to Windows Defender 10->70 72 Injects a PE file into a foreign processes 10->72 19 Purchase order 3812_xls_.exe 17 10 10->19         started        22 powershell.exe 21 10->22         started        24 IExfgo.exe 13->24         started        signatures5 process6 dnsIp7 34 162.159.130.233, 443, 49721 CLOUDFLARENETUS United States 15->34 36 162.159.134.233, 443, 49722, 49725 CLOUDFLARENETUS United States 15->36 38 api.ipify.org 15->38 40 api4.ipify.org 64.185.227.155, 443, 49713, 49716 WEBNXUS United States 19->40 42 discordapp.com 162.159.133.233, 443, 49714 CLOUDFLARENETUS United States 19->42 46 3 other IPs or domains 19->46 28 C:\Users\user\AppData\Roaming\...\IExfgo.exe, PE32 19->28 dropped 30 C:\Users\user\...\IExfgo.exe:Zone.Identifier, ASCII 19->30 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->48 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->52 26 conhost.exe 22->26         started        44 api.ipify.org 24->44 54 Tries to harvest and steal browser information (history, passwords, etc) 24->54 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d8781f3e909a3ad03ec7e4bba80a4fc1128d296117921277380ee55d46b3700/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwdyd47jbgr22a7mpzf3vafe7qisruuwcf4scj3tqdxflvdlg4aa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
0b6fe08b7961d9d73a00310338fcf785c2568d1a843b58aa468ca94cfb7154f1
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
2e6e7a03046940761b6d2c75a14c6a01a9e31497053de523ef292d643c30e9a3
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
b4353534a3286e4744c56adfa83a4291eaaba9ae93e41454fdb99d016f7cc927
AgentTesla
+ 23'104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230124-ldl9ssad55/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e6aaed3b7633a1df98b19e31abdad2bc3fbb38bfad83df16c89428701a5da611
MD5 hash:
5307c76aa19a367df43d36e3159ba314
SHA1 hash:
d05a7deb9a55ad4a9a38f0d61042e7f989ab6f74
Link:
https://www.unpac.me/results/00468a83-1b41-4024-bf83-addc4418cd29/
SH256 hash:
735ddd405a0d1d93dbf0be0839f4fb2b64beb115f506688854638c0b765f0d98
MD5 hash:
d9bb78f7437dbdd94477affd3b9ae196
SHA1 hash:
ced48ada2c9a6d7daccb6555b3bcf9e9a6b5b4ca
Link:
https://www.unpac.me/results/00468a83-1b41-4024-bf83-addc4418cd29/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/00468a83-1b41-4024-bf83-addc4418cd29/
SH256 hash:
db5d0ab6603aa8bc470668a6f7a38977d655d9afd55f0d73d3606954337c4cc7
MD5 hash:
bf2d0976e73ac4af0c950dfe1719b805
SHA1 hash:
398aa7c9d5a611e06699c6195593a8601b9a3609
Link:
https://www.unpac.me/results/00468a83-1b41-4024-bf83-addc4418cd29/
SH256 hash:
1461c41ca7d637115b6e515e2cd5e7a611911a3cf3971fe57473f4fb11395025
MD5 hash:
52020f872eae6efc0f50c15411a524ab
SHA1 hash:
27ee6e2c576b900386d938c42b106a6b292e42aa
Link:
https://www.unpac.me/results/00468a83-1b41-4024-bf83-addc4418cd29/
SH256 hash:
7d8781f3e909a3ad03ec7e4bba80a4fc1128d296117921277380ee55d46b3700
MD5 hash:
3c1a57ff54751f3bb508cc1abe4f6b40
SHA1 hash:
5cba3a85ce11120eb1f1f319e13d40e7384e6442
Link:
https://www.unpac.me/results/00468a83-1b41-4024-bf83-addc4418cd29/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d8781f3e909/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d8781f3e909a3ad03ec7e4bba80a4fc1128d296117921277380ee55d46b3700

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356332/

Comments