MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dc5bb06ed08dbca62e8ef7e92a2faf388469529654cfcd9795d3479ced1f797. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dc5bb06ed08dbca62e8ef7e92a2faf388469529654cfcd9795d3479ced1f797
SHA3-384 hash: 916efaee6413ca47de0d073b6fd7d8f47a64d0ddb4c8d7cd339c3bfe21178843d8ab173934e3ebd6ba539b2ed7e49028
SHA1 hash: 9271b75c17f65cd8b2cc1f30f3aa541fddc5ffcb
MD5 hash: 78814e3af04b9bdcd450b080e87d52bf
humanhash: washington-carpet-low-black
File name:SecuriteInfo.com.Trojan.Inject4.44721.17677.25654
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'019'392 bytes
First seen:2022-10-07 07:30:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:i51NbdXKh3IBJ7RD1gwB685QCnyxJ5GLJ:U1xdMIBJ7RD1xB65J5y
Threatray 12'947 similar samples on MalwareBazaar
TLSH T1BB256ABA22D54507E82532B5D883D1F32AFB6D606051D1CB6AD72FAFBC442BB9113387
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8673acc6466c3182 (5 x Formbook, 4 x SnakeKeylogger, 2 x Loki)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317529/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.44721.17677.25654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633fd5b9c9e2f3435433046e/reports/05ed2d4b-5ed1-490e-9e9e-82aa28661088/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/324f848c-900b-400d-af5b-8695c184025c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085554
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 718111 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 07/10/2022 Architecture: WINDOWS Score: 100 26 Malicious sample detected (through community Yara rule) 2->26 28 Sigma detected: Capture Wi-Fi password 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 5 other signatures 2->32 8 SecuriteInfo.com.Trojan.Inject4.44721.17677.25654.exe 3 2->8         started        process3 file4 20 SecuriteInfo.com.T...17677.25654.exe.log, ASCII 8->20 dropped 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->34 36 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->36 38 Uses netsh to modify the Windows network and firewall settings 8->38 40 2 other signatures 8->40 12 SecuriteInfo.com.Trojan.Inject4.44721.17677.25654.exe 2 8->12         started        signatures5 process6 dnsIp7 22 smtp.yandex.ru 77.88.21.158, 49703, 587 YANDEXRU Russian Federation 12->22 24 smtp.yandex.com 12->24 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->42 44 Tries to steal Mail credentials (via file / registry access) 12->44 46 Tries to harvest and steal ftp login credentials 12->46 48 2 other signatures 12->48 16 netsh.exe 3 12->16         started        signatures8 process9 process10 18 conhost.exe 16->18         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7dc5bb06ed08dbca62e8ef7e92a2faf388469529654cfcd9795d3479ced1f797/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 05:35:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxc3wbxnbdn4uyxi557jfix26oeenfjjmvgpzwlzlu2httwr66lq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
177a1ddb21bb2abf9a45d773bdbdfdfcece823597aa8e8501069d1ad0a714c6a
AgentTesla
1df17eb8a8c1bafe0b56f2b875c934582d7bd5398fbebbf27761da4a789871d9
AgentTesla
231ba68aed77233685a7431ba8b1df348d0dc71860f41c7d43a5f6f486a1c66d
AgentTesla
5a818191a4aa931ebdf594da986e37e8cbe0428b225a2c5f9bec9efcc46a83b3
AgentTesla
7ec3a47d84d4fdc7f4359e840592afefa7b70cdbb03e4d4d1c06c0d5ec083424
AgentTesla
875ffba606e3244a1644cd39e50e7eb9ee7d9d93f99bc56019b52fcada9b95a5
AgentTesla
a157f236b925cda23175a9caeeb37842670ad730a0ad13dc9c526a81f02f7452
AgentTesla
aefa72ffc5e01d200d8807d687a43b7450af469fdb3ae8761393c231e7c7f498
AgentTesla
b6f12247c9a7928280fc2f83e19792f3f3f099a9437d493877e59df36bd46a28
AgentTesla
+ 12'937 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221007-jcdj6acbaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla payload
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/44e1a5ce-6524-40f9-922e-dc122866f9af
Unpacked files
SH256 hash:
d9c89a6c4f03f83874a1307266367a4d4656d9662745e066d1ad8e8da989781d
MD5 hash:
94b07cadcdf396f4fadabbe834b32ede
SHA1 hash:
92e945a74516ef944ff59f3bd9cd0cd44cd2373a
Detections:
win_agent_tesla_g2
Create hunting rule
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/644e1744-67ae-43db-aa66-be345c6da6a1/
Parent samples :
f3d6eb3da9b43c86b6610370d64e086c2af8d8511a4f05862e4ea312fb0211ca
c355e28ecd863acbd38e125d73c54d51b3a7a64a0592c763a82cf610e449812c
7dc5bb06ed08dbca62e8ef7e92a2faf388469529654cfcd9795d3479ced1f797
d3fea0633268ce59f95430656758b52177fefc498768319049a2eb20357c9ed2
74a2d217ea8475ba2e01664b539d851c89b9866eb634e289773424dc680f76c1
9823500c6567a243112dfed0bf437d928904be6bb058a24ac177a23557ea561c
f3807716a3cd6abc7bbf75bee159a7632dcb21e6d08ee4a29462350dd8a97af7
ed1a1b8dbe831fd0ecc35e1a98841da333edb55040a5bec1a2063e99d0d92020
eac32618d08c0c5c98468ac2d4ad561b424241b508c1b1ad9e9d00934bbb2e6d
d9c89a6c4f03f83874a1307266367a4d4656d9662745e066d1ad8e8da989781d
SH256 hash:
8ce5ab5ddd8bddccdedafbd6d93a503109b7f235b4ca0c0e970629f9f90a0214
MD5 hash:
a69fe4c8136ebe9a6dbce8ca215b5934
SHA1 hash:
46240c4decc0636e527d1db1e0d705ef0d05682c
Link:
https://www.unpac.me/results/644e1744-67ae-43db-aa66-be345c6da6a1/
SH256 hash:
3e1c4d9aa1c7d7489662862c840ca144583827e908b49b3b659f42e98e766e48
MD5 hash:
af6ab517f4cfd33f20e47441d3260f7b
SHA1 hash:
43d95a4bb6577e682d1bcf088de02a5faa2a326a
Link:
https://www.unpac.me/results/644e1744-67ae-43db-aa66-be345c6da6a1/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/644e1744-67ae-43db-aa66-be345c6da6a1/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/644e1744-67ae-43db-aa66-be345c6da6a1/
SH256 hash:
7dc5bb06ed08dbca62e8ef7e92a2faf388469529654cfcd9795d3479ced1f797
MD5 hash:
78814e3af04b9bdcd450b080e87d52bf
SHA1 hash:
9271b75c17f65cd8b2cc1f30f3aa541fddc5ffcb
Link:
https://www.unpac.me/results/644e1744-67ae-43db-aa66-be345c6da6a1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7dc5bb06ed08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dc5bb06ed08dbca62e8ef7e92a2faf388469529654cfcd9795d3479ced1f797

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317529/

Comments