MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f
SHA3-384 hash: a7266933e263ec9fd7235f9af27d60a8e05e8e104eaed021af267a9210a99391a1e94cc13f0af59a24eb57118104ced4
SHA1 hash: 87e465cdb3a41a391b78ade05f5e514ee218dfe5
MD5 hash: 4de011ecf9142c0a21da2d7964ae34bd
humanhash: sierra-nine-bacon-don
File name:SecuriteInfo.com.IL.Trojan.MSILZilla.23693.28814.27870
Download: download sample
Signature AgentTesla
Create hunting rule
File size:10'752 bytes
First seen:2022-11-01 22:53:51 UTC
Last seen:2022-11-02 08:34:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 192:fCNbhQ5iasVvJM29SqnZPUa4zYvLf8stYcFmVc03KY:fCNbsCvJMySqZsPYvLfptYcFmVc03K
Threatray 19'621 similar samples on MalwareBazaar
TLSH T11322084993D00273DA73877B6D7397829B75A6A75CCB8BAE348C040EBF6764017A3290
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.IL.Trojan.MSILZilla.23693.28814.27870
Verdict:
Malicious activity
Analysis date:
2022-11-01 22:55:47 UTC
Tags:
trojan agenttesla
Link:
https://app.any.run/tasks/988c9d24-dc85-46c3-9363-58dfe6b05c18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326924/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.23693.28814.27870.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6361a38c9b2225917c1c586c/reports/3a3d541b-cad1-490b-bfc0-9708a9305b80/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a1ff735b-b22f-43f4-8ad9-22fff29b4c43
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102862
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 735523 Sample: SecuriteInfo.com.IL.Trojan.... Startdate: 01/11/2022 Architecture: WINDOWS Score: 100 34 api.telegram.org 2->34 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 8 SecuriteInfo.com.IL.Trojan.MSILZilla.23693.28814.27870.exe 16 7 2->8         started        13 Czbppjnoa.exe 14 2 2->13         started        15 Czbppjnoa.exe 2 2->15         started        signatures3 process4 dnsIp5 36 194.180.48.115, 49701, 49702, 49703 LVLT-10753US Germany 8->36 24 C:\Users\user\AppData\...\Czbppjnoa.exe, PE32 8->24 dropped 26 C:\Users\...\Czbppjnoa.exe:Zone.Identifier, ASCII 8->26 dropped 28 SecuriteInfo.com.I...28814.27870.exe.log, ASCII 8->28 dropped 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->46 48 May check the online IP address of the machine 8->48 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->50 52 Encrypted powershell cmdline option found 8->52 17 SecuriteInfo.com.IL.Trojan.MSILZilla.23693.28814.27870.exe 2 8->17         started        20 powershell.exe 16 8->20         started        54 Multi AV Scanner detection for dropped file 13->54 56 Machine Learning detection for dropped file 13->56 file6 signatures7 process8 dnsIp9 30 api.ipify.org.herokudns.com 52.20.78.240, 443, 49704 AMAZON-AESUS United States 17->30 32 api.ipify.org 17->32 22 conhost.exe 20->22         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 18:00:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
7 of 42 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7yaqgfvvhvvlzwmnj5f6s4ohoeh3cypw5b4wxwph2v345ttrjpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
masslogger
Create hunting rule
Similar samples:
0e5b0d318b1bfd14a705e7b4c16324a2e7f21562052948426d11c32ec586be5e
AgentTesla
3ac53c020fb6c8cfa48ade29a4ad84513fe6e10d4b73488d52ebdbec846c912c
AgentTesla
63817b66af367d99670cfca41e202771396a759aa78b62b08dcbf80eebd63217
AgentTesla
791d28363cac830f755941fbd116d6c30cbd38f7c88f4b5f7f318feea4836fdd
AgentTesla
cf1f377d2a4f59a5c6e94629e07f57ac5cf952a880ef3f02c5714a4890b4a695
AgentTesla
f1eb46659645f95cf7b90059247cac5cd905e63a9c8852bb92380e8c7be4fdf2
AgentTesla
+ 19'611 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221101-2vhwpsgean/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5792740148:AAFobcIqNxs0h0FT_FeGMExbtpZ5X2KUZP0/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3731c399-3f80-4b2c-be38-1ceaeb002540
Unpacked files
SH256 hash:
87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f
MD5 hash:
4de011ecf9142c0a21da2d7964ae34bd
SHA1 hash:
87e465cdb3a41a391b78ade05f5e514ee218dfe5
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/ab8fe02d-9a8f-48ef-af89-5662031dd34b/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87f00818b5a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img c1f221ad6c877318de9fe4f750c6b6c8290043d2fc29be0b3014ea407048be58

AgentTesla

Executable exe 87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/326924/
  
Dropped by
SHA256 c1f221ad6c877318de9fe4f750c6b6c8290043d2fc29be0b3014ea407048be58
  
Dropped by
MD5 691e99a6aac6fbb7e3c81bd93eeb7e90

Comments