MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1
SHA3-384 hash: c4355d857d90f46dd0bf305e84c7765227be40ba315795a7b65fe95fe95522247afe208aeba8b360de750fecfe5b7842
SHA1 hash: 6d82933a4bdcec4b6ca7f5a4bc38b3ece587d067
MD5 hash: 5370d8408a9d80a45bdaf5f5f8306d91
humanhash: finch-music-finch-hydrogen
File name:SecuriteInfo.com.Win32.CrypterX-gen.14630.22885
Download: download sample
Signature AgentTesla
Create hunting rule
File size:715'776 bytes
First seen:2022-11-22 17:28:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qeTFpQ8Edej5dA3ZH2C7E4TXGzxgJ+DBE1DWxjABfUny:XQ8EAdkN7XTXu242wuU
Threatray 19'933 similar samples on MalwareBazaar
TLSH T19EE4CF16B64BEE92D3AC1E36C0C6521497F1CD929122E64F3FF0D2C10D13BD69F9A685
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6cccdcf0f0f8dcd4 (11 x AgentTesla, 1 x Formbook, 1 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.14630.22885
Verdict:
Malicious activity
Analysis date:
2022-11-22 17:31:07 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/cc12a878-5ffe-44d8-bd41-affa17b44b22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337307/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.14630.22885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637d06de090ea3f0493468ea/reports/6714fa57-8895-473e-a045-226b6f83be84/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4278d2a4-c49c-4926-964f-c1ad908c6e34
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119113
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751830 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 22/11/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 8 other signatures 2->58 7 SecuriteInfo.com.Win32.CrypterX-gen.14630.22885.exe 6 2->7         started        11 RtVrXieIBF.exe 5 2->11         started        13 zBwkauB.exe 2 2->13         started        15 zBwkauB.exe 1 2->15         started        process3 file4 40 C:\Users\user\AppData\...\RtVrXieIBF.exe, PE32 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpFF3A.tmp, XML 7->42 dropped 44 SecuriteInfo.com.W...14630.22885.exe.log, ASCII 7->44 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 7->74 76 Writes to foreign memory regions 7->76 78 Injects a PE file into a foreign processes 7->78 17 RegSvcs.exe 2 5 7->17         started        22 RegSvcs.exe 7->22         started        24 schtasks.exe 1 7->24         started        80 Multi AV Scanner detection for dropped file 11->80 82 Machine Learning detection for dropped file 11->82 26 RegSvcs.exe 11->26         started        28 schtasks.exe 1 11->28         started        30 conhost.exe 13->30         started        32 conhost.exe 15->32         started        signatures5 process6 dnsIp7 46 dmstech.in 208.91.199.89, 49713, 49719, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->46 48 mail.dmstech.in 17->48 38 C:\Users\user\AppData\Roaming\...\zBwkauB.exe, PE32 17->38 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->64 34 conhost.exe 24->34         started        50 mail.dmstech.in 26->50 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->66 68 Tries to steal Mail credentials (via file / registry access) 26->68 70 Tries to harvest and steal ftp login credentials 26->70 72 Tries to harvest and steal browser information (history, passwords, etc) 26->72 36 conhost.exe 28->36         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 13:32:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxu6nswp6zdieo6qjlos6exueo6gkrkicy5mg7qxqygr5nntcxyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5c655562f6814bc5b70772705bc45ab78cb7d91d518774cf1aa271581eb0405b
AgentTesla
740b8d98eca229f6873a327b046f509c7228ae9e7cf2acabfc43aa5c0e0d5d9d
AgentTesla
b37d9a54e81fc3feac68afee6c776fea62e111491db1da57456452beabe118ac
AgentTesla
b3dfa295345931a2e11de2d9b98f350b2744c415d2258a2745f8bb8d9cc3a4b2
AgentTesla
dcc60226dc95db85e94d9e78b8af2ccb0bb0b201af107999e315ea01cbe52475
AgentTesla
de5b61d6d78fd9f35298ac0f1adbca16f102ded02fbfb04b43cff96b7b4862a6
AgentTesla
+ 19'923 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221122-v2jm9abd35/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
739b0d0c25dab5d69c516941cb4f370df005fc8e1a77df445358776b22c3dd52
MD5 hash:
0a3d628f3d14fecd845cc89b4fee11b0
SHA1 hash:
c072047c81115be2e2307cc85f01fe98a8079c87
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/b77f498f-1c72-4d33-a2ae-e41f0e66d035/
Parent samples :
dcc60226dc95db85e94d9e78b8af2ccb0bb0b201af107999e315ea01cbe52475
322a82cb52dd04f516915780a9eb9865e24bd284fedecf938e345270fa0f83b3
7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1
ea43d517a6f297bacd8199f6df1f0cfaa00acac3c3c2eb125093df80c73a87a6
056fefb924727f883dacfa1b86cf30fd3f62c5802d4ab3c6a0ae3493e9aaab98
b3e12ecdee9eacc7354a7d43ccd3ebe7e6db207e93f73b7a847ff4bee9f27f86
bb43a5754a893cb89704ada5e6ab99172fcaba378a12b890b6baae58fd6d35ba
b27f7a44bbe68d1ceb1d8d2b0a81fe4dcb9dc8047080e6a79aaca37b409cf240
97c28174a64eab003f2a1b2f4a742acbcbb8394249d136d176c19711908da21a
b188a13a9f8d13e388089ecbe4725f5c0e2a17c2f1036e0a7ab0cf5aab878549
baa6318542fec07e6a7ee6bbdccbfa99519c4b76fe6d57bf573c6d33d943db9a
21ffa6cab8603732b5f615cd0db3e5e6deef95d75fa33598815e4bcbcb1da691
36e7dd656f73069c8c78ae8f100a746a6d48df103fa11739355c09f03e45b0bd
25b6b99d864c11f150199c742850366511b9213ec5cf408ff57ced3622653143
570bb8f8e76556ba2158370d21c83415e1773c5cf25d92a84e4a066c82a61051
3ef08f39f739e970a5e143decd013ff75086300f30aea4441c33b609f4c2e9d5
f22e0e86d77e67ae822fbd78fef1108767918aec0df59bc554e0378a45a4c068
2ad2b641db99003656d22d4e31f884ebb887d3ffe7a92e8338b37a7aad60a711
5930c5866f8eed59c28ce8c986a3e44a289cfbb12a7a7197d2d6c6caad4cdb69
a6a9d25fbff8fc2d49d743951692f0f583420945d6a28393298713346c984809
67746033de06b15b8b02f5dc873f8b82696b94158c5074e8251ae1433b671c3a
a21f3e9612275b3514ddbada4ff1763efbb2cee160ea6d530d66b9f9449baa88
4f2a16d1aa218f8e423b803df72a63c2c6748d2701fe664c5eee59e096af3921
8e3410b701ab440ca72fc04705a3f8f663031f64fcf6b06b4a07d2ba3d5b4bf2
5dd95385f904bef50b5b57a7ab6427c78df4b9a93386f0ca16ee484b67ae939e
8cac9d66650d477750c772f06ca469eeff8056f6c058b1e5dfff1cea549a35ea
9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9
9c3660ffe5ce0c638949f25a1a1adc5d7ab366824e46d6ea3064e8c7426730f5
9c08966b170f8f713f07c3be1ed598d62e1efe93ab427fe4f44a4e372454a3c1
99adda59edc208010068f4ea20b251bce6e3f397847259d2f47b893f1c7f0a6a
54ec5ddfdaffbd07bb289eacfcdcb34cd15a36a720ad521b3b91665d54f2dfc2
9b8088bdfac6cdced72f50e8020779923a75804ffd8a8738d2373e97a097f908
b72cbdbe49d3141dfc0a63bafd35d2ae2bd6f3a213a1374d7c7e347d7cad756c
d33eea86eb7794132b9d99edf58f349f912b482cd2be5e5c63068e2700279fcd
32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a
3c4d4ae6875508403d1c24d4422c588a14cd0515d7c11a388e8ea6403d03540d
6b0e8e6683df482c7579f4ba45e062d65af78a2eb8d310bdde706437dab53904
fcdf163e514b0aa3364e9da405c1d7bc249d7b870482392e590e8d4f37eae529
967faf62f7ca8a187e54a09b1cf77ec300cb9e2dc935a4b0d0462b498f3d004c
SH256 hash:
f19aadd49f32eb74b63573d800ad5a836875151859aa3bbf384cbc6903669106
MD5 hash:
c23f2a67e9ae03ebc5d101b809b29473
SHA1 hash:
b7d2c45fb976963bc087846390939e8986841d64
Link:
https://www.unpac.me/results/b77f498f-1c72-4d33-a2ae-e41f0e66d035/
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/b77f498f-1c72-4d33-a2ae-e41f0e66d035/
SH256 hash:
7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1
MD5 hash:
5370d8408a9d80a45bdaf5f5f8306d91
SHA1 hash:
6d82933a4bdcec4b6ca7f5a4bc38b3ece587d067
Link:
https://www.unpac.me/results/b77f498f-1c72-4d33-a2ae-e41f0e66d035/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7de9e6cacff6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337307/

Comments