MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 14 File information Comments 1

SHA256 hash:	7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113
SHA3-384 hash:	b452d0f8ba3d402f667338b1dbef7057d32a00fa25fcedcb4a78860e1ac90f9685874b7f0da9193a64013dbec969643d
SHA1 hash:	31c172e588ea995a31b5d00dc50a78cd97e85720
MD5 hash:	8a7e5664d1f1d5bf41c6d943299aa1e8
humanhash:	alabama-march-cola-magnesium
File name:	8a7e5664d1f1d5bf41c6d943299aa1e8
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	470'599 bytes
First seen:	2023-11-15 08:20:22 UTC
Last seen:	2023-11-15 10:40:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	12288:7fUipgn2/I7tPP5LiGV2QxSGBhRHukGdJvVjQDVTg:7UMgn2QRPP5mGod+RHadXUJTg
TLSH	T19CA4F10721CF97B1E3B5A4BE7C76D0675A224E050CB05142BA38B7CE7871793A51BEB2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	60e8a8aca6c4d871 (1 x Formbook, 1 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/458674/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.3399.30255.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Connecting to a non-recommended domain

Sending an HTTP GET request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65547f6f8dc4c0f2230b5aa3/reports/66a1e381-411f-40f8-b2cd-2fb91666271c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d11f5c93-779b-4e29-8c65-847d78e279ac

Result

Threat name:

AgentTesla, NSISDropper

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1342855

Signature

Contains functionality to log keystrokes (.Net Source)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113/

Threat name:

Win32.Trojan.BazarLoader

Status:

Malicious

First seen:

2023-11-15 08:21:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pzisxogb3lphqfrkwyiwxe65hwzmx6i53xyj2bmvl6s73tn5oejq._file

Verdict:

malicious

Label(s):

agenttesla_v4

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231115-j8zr9seh48/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

3a3f5768280faf1bf727d604b71ca4785f2133dbad4ed750423a2c18985eba3e

MD5 hash:

edca2bd6e47e064e3244ae482f0a34a3

SHA1 hash:

f2a0c602f6e7966e3c04b8baf8a77c8ca3e19905

Detections:

win_agent_tesla_g2

Agenttesla_type2

Link:

https://www.unpac.me/results/d15ede12-5dcd-406b-84c2-ac8434fd8384/

SH256 hash:

004db0f89998706b378f1de8726cae7a61cb29b3a6ea4471bcfb276909c3ca71

MD5 hash:

d3793936d5150140311092151991c22f

SHA1 hash:

c973b70db8be7354362a17ac83ee073b710a17b1

Detections:

AgentTesla

win_agent_tesla_g2

Agenttesla_type2

Link:

https://www.unpac.me/results/d15ede12-5dcd-406b-84c2-ac8434fd8384/

SH256 hash:

5457d8acf1f66dc2874d4c1920158f1ccdc4661843e3257cb862cdaf6b16b521

MD5 hash:

8b574a3a25bfbb6bdbc398a7e896aa38

SHA1 hash:

f60a3157012fac21cb5ed021e367ca6b7c81f1e4

Link:

https://www.unpac.me/results/d15ede12-5dcd-406b-84c2-ac8434fd8384/

SH256 hash:

7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113

MD5 hash:

8a7e5664d1f1d5bf41c6d943299aa1e8

SHA1 hash:

31c172e588ea995a31b5d00dc50a78cd97e85720

Link:

https://www.unpac.me/results/d15ede12-5dcd-406b-84c2-ac8434fd8384/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2730838/

Cape

https://www.capesandbox.com/analysis/458674/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-11-15 08:20:24 UTC

url : hxxps://swamini.in/wp-content/uploads/wpr-addons/forms/lightmuzik2.1.exe