MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f7322dd08a3f54e840b31b0c1c01a65676701cb15ed97ea3cdb6b0edf5402db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f7322dd08a3f54e840b31b0c1c01a65676701cb15ed97ea3cdb6b0edf5402db
SHA3-384 hash: cdf14bd7df14dd454a05498fc6fa61a9721ed3ab2445ce65f3f672db0791492391e64581ba9652dba1c02387609e1efa
SHA1 hash: c5e78e9d7fbac0572d8b276968799bbced619cc7
MD5 hash: c8f78f4ec916de2a794ada0f74524a92
humanhash: twenty-kentucky-freddie-spaghetti
File name:RZxpPKvkpjbNPWT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'101'824 bytes
First seen:2023-01-03 22:12:21 UTC
Last seen:2023-01-03 23:28:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:YV4g0gWsfISQ5KDYmMjlyCwv8GJhzVJMAv5gSi8riwUTiLdw/6WHvYM16ffrifPc:y0gWBSM8j/JhxZiSi8lUTyvWX1Qf+c
Threatray 5'805 similar samples on MalwareBazaar
TLSH T1EC359B8D27B8E077FAD7233A461111B91D623A13F5A2F11F6E7B7EE56005AFA326C104
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RZxpPKvkpjbNPWT.exe
Verdict:
Malicious activity
Analysis date:
2023-01-03 22:12:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9525e3ac-a474-438d-b9d5-9c2d33c330c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349257/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10420.22131.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b4a86e0e926711fd76b472/reports/20c6db0e-a096-4b22-b3ba-c55a7c5ec8b6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61fa1e8a-8c4c-454b-a1d5-9d3c05c61b43
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1144817
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 777547 Sample: RZxpPKvkpjbNPWT.exe Startdate: 03/01/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Sigma detected: Scheduled temp file as task from temp location 2->68 70 9 other signatures 2->70 7 RZxpPKvkpjbNPWT.exe 7 2->7         started        11 YPAKilfGihHhm.exe 5 2->11         started        13 JxkFp.exe 2->13         started        15 JxkFp.exe 2->15         started        process3 file4 54 C:\Users\user\AppData\...\YPAKilfGihHhm.exe, PE32 7->54 dropped 56 C:\...\YPAKilfGihHhm.exe:Zone.Identifier, ASCII 7->56 dropped 58 C:\Users\user\AppData\Local\...\tmp8B41.tmp, XML 7->58 dropped 60 C:\Users\user\...\RZxpPKvkpjbNPWT.exe.log, ASCII 7->60 dropped 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->86 88 Uses schtasks.exe or at.exe to add and modify task schedules 7->88 90 Adds a directory exclusion to Windows Defender 7->90 17 RZxpPKvkpjbNPWT.exe 17 6 7->17         started        22 powershell.exe 19 7->22         started        24 powershell.exe 21 7->24         started        26 schtasks.exe 1 7->26         started        92 Machine Learning detection for dropped file 11->92 94 Injects a PE file into a foreign processes 11->94 28 YPAKilfGihHhm.exe 11->28         started        34 2 other processes 11->34 30 JxkFp.exe 13->30         started        32 schtasks.exe 13->32         started        36 2 other processes 15->36 signatures5 process6 dnsIp7 62 api.telegram.org 149.154.167.220, 443, 49699, 49700 TELEGRAMRU United Kingdom 17->62 50 C:\Users\user\AppData\Roaming\...\JxkFp.exe, PE32 17->50 dropped 52 C:\Users\user\...\JxkFp.exe:Zone.Identifier, ASCII 17->52 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->72 74 Tries to steal Mail credentials (via file / registry access) 17->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->76 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        78 Tries to harvest and steal ftp login credentials 30->78 80 Tries to harvest and steal browser information (history, passwords, etc) 30->80 82 Installs a global keyboard hook 30->82 44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f7322dd08a3f54e840b31b0c1c01a65676701cb15ed97ea3cdb6b0edf5402db/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-03 20:11:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5zsfxiiup2u5balggymdqa2mvtwoaolcxwzp2r43nvq5x2ualnq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26cd2bcced6805a4bcfb2f0f36ee11314431ae022d0a38ec91f0108a6625dd07
AgentTesla
43a0be7895e81ab00df511b6e247641f46291a794c103111e602ff1401ea0324
AgentTesla
6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b
AgentTesla
6bf40a84dcada0287d1491ead582f48d2a7d89528cbfe635bceb85a8925dcc12
AgentTesla
77cd536168c0e9585f4e6618573de6f52a73d17cd7f9aa527a696752c0f25143
AgentTesla
980572025579ff98c1ab84aa8c0c045e075d174bc5bb166e2694590c98f90a54
AgentTesla
9b253d1ee197c0820361237b9e428dcb76ade10f649e705a5dbd7e51734caa8d
AgentTesla
af15ddc6ec0ed71ac34b005dc109da1f4d01f04023b014d4a9695f8ed6f23be3
AgentTesla
bc60f5c19d219304320e8a975a199dbef09c89ac82fce15feacda92bd9152554
AgentTesla
f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc
AgentTesla
+ 5'795 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230103-143f2ada75/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5590596148:AAFELAezvK26mOp3KWIpAgxEVzQMQ56n6zg/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7070013b-2ce3-4a92-8b7c-efa6868fcfed
Unpacked files
SH256 hash:
97d46b6c5ccaa0bf41b80c90a2d537017566d44151cb5ff54d20ec22abec4041
MD5 hash:
be58e808d289e7dedc18076eb671bc3e
SHA1 hash:
d4d41e28345a1224405899832abdc0ae52fd4799
Link:
https://www.unpac.me/results/7403dfe5-ef2c-4dbd-b52b-6f065d9a7805/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/7403dfe5-ef2c-4dbd-b52b-6f065d9a7805/
SH256 hash:
6457168b9bba4be36d0d74dcb7c5cba2176e12de96abd021c4e76a0ad00c1ef4
MD5 hash:
ea7bad894b63342e1c765e819bd3329d
SHA1 hash:
b02be85b45bcfdcbdee14a2bcb69b9812491be00
Link:
https://www.unpac.me/results/7403dfe5-ef2c-4dbd-b52b-6f065d9a7805/
SH256 hash:
26325dba2cb72b8ef88334ed979153f232b4f53f58d3a1dbe8690e565cdcfb35
MD5 hash:
9c1f8f3e3e0524bb2cbba7602d6cb880
SHA1 hash:
888990a74aeeecb326c31e32abce99c1b87a32a0
Link:
https://www.unpac.me/results/7403dfe5-ef2c-4dbd-b52b-6f065d9a7805/
SH256 hash:
c540ee591b86046d35bd8c6d10081c0a11ca9292c1665b772ea48a0b54ce200e
MD5 hash:
640dae8ea290a5b59948adf98a5a48ac
SHA1 hash:
6fc6c71f5820a59d87306d05076030ca8109380f
Link:
https://www.unpac.me/results/7403dfe5-ef2c-4dbd-b52b-6f065d9a7805/
SH256 hash:
7f7322dd08a3f54e840b31b0c1c01a65676701cb15ed97ea3cdb6b0edf5402db
MD5 hash:
c8f78f4ec916de2a794ada0f74524a92
SHA1 hash:
c5e78e9d7fbac0572d8b276968799bbced619cc7
Link:
https://www.unpac.me/results/7403dfe5-ef2c-4dbd-b52b-6f065d9a7805/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f7322dd08a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7f7322dd08a3f54e840b31b0c1c01a65676701cb15ed97ea3cdb6b0edf5402db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/349257/
  
URLhaus
https://urlhaus.abuse.ch/url/2495933/

Comments