MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d9f90cafdbd083935d3ba187692410fbb27ceac79b187a8ae75bb174cdfcf89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d9f90cafdbd083935d3ba187692410fbb27ceac79b187a8ae75bb174cdfcf89
SHA3-384 hash: 2fa78f316adca2db740b11b0cc61cc99d9c146ec8501195c86cfbab14c4e3df5d1af52b24ee3ba9740c3f61dd5fc87f3
SHA1 hash: 7ed704fb17b0695d7c4d0ed0fb18a80d23e113bc
MD5 hash: 3553071ef4e90fa647f1a270348621ec
humanhash: sixteen-video-bluebird-ohio
File name:SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358
Download: download sample
Signature AgentTesla
Create hunting rule
File size:271'360 bytes
First seen:2023-08-13 13:39:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:FJiL/nX+nc+S/1Ih7Zjz5H5CWF6gJb1Lr39HsUS:fiL4cHy7ZHjCWQgJb1nNMv
Threatray 25 similar samples on MalwareBazaar
TLSH T1DF4402C9130C62E2C06FC9F9096A53C07335CDC5158AFAFAEA82ACFB5E8FB255750495
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e2e26a6b62300000 (1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358
Verdict:
Malicious activity
Analysis date:
2023-08-13 13:41:24 UTC
Tags:
agenttesla stealer evasion
Link:
https://app.any.run/tasks/d947386d-b53f-4838-9475-40254308d855

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442510/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Setting a keyboard event handler
Creating a file in the %temp% directory
Reading critical registry keys
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Changing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64d8dd352a1db2a88acd7060/reports/a2f0a23a-44a4-4105-b55b-1f3ec2a45935/overview
Verdict:
Malicious
Labled as:
TSPY_NE.1E775F4B
Link:
https://www.hybrid-analysis.com/sample/7d9f90cafdbd083935d3ba187692410fbb27ceac79b187a8ae75bb174cdfcf89
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13862277-e5d7-459d-a84d-46bc30da7767
Result
Threat name:
Agent Tesla, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290675
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Agent Tesla keylogger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290675 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 13/08/2023 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 6 other signatures 2->62 8 SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358.exe 2 4 2->8         started        12 bzm.exe 1 2->12         started        14 bzm.exe 2->14         started        process3 file4 40 C:\Users\user\AppData\Roaming\bzm\bzm.exe, PE32 8->40 dropped 42 C:\Users\user\...\bzm.exe:Zone.Identifier, ASCII 8->42 dropped 78 May check the online IP address of the machine 8->78 16 SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358.exe 15 18 8->16         started        80 Antivirus detection for dropped file 12->80 82 Multi AV Scanner detection for dropped file 12->82 84 Machine Learning detection for dropped file 12->84 21 bzm.exe 14 16 12->21         started        signatures5 process6 dnsIp7 44 checkip.dyndns.org 16->44 46 vh98.timeweb.ru 92.53.96.162, 21, 49760, 49779 TIMEWEB-ASRU Russian Federation 16->46 48 checkip.dyndns.com 193.122.130.0, 49718, 80 ORACLE-BMC-31898US United States 16->48 34 C:\Users\user\AppData\Local\Temp\QOo.exe, PE32 16->34 dropped 36 C:\Windows\System32\drivers\etc\hosts, ASCII 16->36 dropped 64 Tries to steal Mail credentials (via file / registry access) 16->64 66 Modifies the hosts file 16->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->68 23 QOo.exe 16->23         started        50 checkip.dyndns.org 21->50 52 132.226.247.73, 49757, 80 UTMEMUS United States 21->52 54 192.168.2.1 unknown unknown 21->54 38 C:\Users\user\AppData\Local\Temp\BkQ.exe, PE32 21->38 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 21->70 72 Installs a global keyboard hook 21->72 file8 signatures9 process10 signatures11 74 Antivirus detection for dropped file 23->74 76 Multi AV Scanner detection for dropped file 23->76 26 SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358.exe 23->26         started        28 SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358.exe 23->28         started        30 SecuriteInfo.com.Trojan.PWS.Stealer.19347.4238.17358.exe 23->30         started        32 16 other processes 23->32 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d9f90cafdbd083935d3ba187692410fbb27ceac79b187a8ae75bb174cdfcf89/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2018-03-01 09:20:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwpzbsx5xuedsnotximhnesbb65sptvmpgyypkfoow5rotg7z6eq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cf22420a396d9602d5028670b9e175550da36e8fe4c3bbe85a4de01419d8f2f
AgentTesla
25117250468990f967ad94aa32ef8f26151f80a67516c5523a1d6e41b4b8428b
AgentTesla
94d008685ba759f32d3b80b5542394c9bd4a4f2ca42781cb67f31a7460244bcc
AgentTesla
97cd614fd58a9d297fa8c9288be2558a1f24c4a2d99ef62a50202824ea7a7662
AgentTesla
aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
AgentTesla
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
AgentTesla
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230813-qyjrmaeg91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Unpacked files
SH256 hash:
19fed10083a7b48930e5a4caab964b445a58ffe14d98b206fa96ccd7d928ae61
MD5 hash:
aa5e9af3f263b96805f14058605f21e9
SHA1 hash:
93af8b831785be78e7a79062f31e2776333047f3
Link:
https://www.unpac.me/results/685c46d1-5291-4057-b852-e2eaaeecdd68/
SH256 hash:
6e87a08142b9bf047e6a1ffbe916ca6ea1f3b2c3db6dfb4ae0d409dc22a94529
MD5 hash:
9f185a24bed82407f7db915a439879e6
SHA1 hash:
7decaf750e4ef96994957108628b82aa637078cd
Link:
https://www.unpac.me/results/685c46d1-5291-4057-b852-e2eaaeecdd68/
SH256 hash:
d184824b14e5a24c549dffc338d8e33da821705d573fe222d93644d9ac4487cd
MD5 hash:
0f0908c8407a224d8587a5e4b12b67ab
SHA1 hash:
6e31f8a93679355faace49da973e3a488859ca6f
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/685c46d1-5291-4057-b852-e2eaaeecdd68/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/685c46d1-5291-4057-b852-e2eaaeecdd68/
SH256 hash:
7d9f90cafdbd083935d3ba187692410fbb27ceac79b187a8ae75bb174cdfcf89
MD5 hash:
3553071ef4e90fa647f1a270348621ec
SHA1 hash:
7ed704fb17b0695d7c4d0ed0fb18a80d23e113bc
Link:
https://www.unpac.me/results/685c46d1-5291-4057-b852-e2eaaeecdd68/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d9f90cafdbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d9f90cafdbd083935d3ba187692410fbb27ceac79b187a8ae75bb174cdfcf89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:agent_tesla
Create hunting rule
Author:Stormshield
Description:Detecting HTML strings used by Agent Tesla malware
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442510/

Comments