MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b
SHA3-384 hash: 2125f4756f70241c2c06db5fbe4854fa03df13001f8574177ef2f10746f6fcd8d157652bf7b57964b8590f8150d7262c
SHA1 hash: 5800259deac2b78977da5e36e175386f0a8f89e4
MD5 hash: 1ded1cdd72e54c2f3cc59118804d41c7
humanhash: tennessee-helium-pip-salami
File name:ISF Form.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'934'848 bytes
First seen:2023-03-08 16:37:09 UTC
Last seen:2023-03-08 18:30:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:td7WycQ5Q4l6zSnRn0X8tME0zoYUS6JvODX8XIriy9hdAa9lA:5/l5GPx7SIrdD
Threatray 1'247 similar samples on MalwareBazaar
TLSH T1BA958CF08E52FE91DBAB0D8480DC19C06C4C1BAB87AD9948FCC82556E2E1A64FFDD571
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ISF Form.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 16:37:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b172fca9-c6a3-45f5-b879-79c17093a8df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372648/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.70387.10768.14596.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6408b9ecce680ea731cc4f29/reports/a0bfa92c-3fef-49f6-96d9-719d0cca2911/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29403c77-fcca-4638-98a9-2df78e0c3f70
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189598
Signature
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 822472 Sample: ISF_Form.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 58 smtp.ionos.com 2->58 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected AgentTesla 2->70 72 Yara detected Generic Downloader 2->72 8 ISF_Form.exe 1 7 2->8         started        12 Swwftnxl.exe 4 2->12         started        14 Swwftnxl.exe 3 2->14         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\Swwftnxl.exe, PE32 8->40 dropped 42 C:\Users\...\Swwftnxl.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\ISF_Form.exe.log, ASCII 8->44 dropped 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->74 76 May check the online IP address of the machine 8->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->78 16 ISF_Form.exe 15 7 8->16         started        20 powershell.exe 16 8->20         started        22 ISF_Form.exe 8->22         started        80 Multi AV Scanner detection for dropped file 12->80 82 Encrypted powershell cmdline option found 12->82 84 Injects a PE file into a foreign processes 12->84 24 Swwftnxl.exe 12->24         started        26 powershell.exe 13 12->26         started        28 Swwftnxl.exe 12->28         started        30 Swwftnxl.exe 14->30         started        32 powershell.exe 14->32         started        signatures6 process7 dnsIp8 46 api4.ipify.org 104.237.62.211, 443, 49695 WEBNXUS United States 16->46 48 smtp.ionos.com 74.208.5.2, 25, 49696, 49697 ONEANDONE-ASBrauerstrasse48DE United States 16->48 56 2 other IPs or domains 16->56 60 Installs a global keyboard hook 16->60 34 conhost.exe 20->34         started        50 64.185.227.155, 443, 49698, 49700 WEBNXUS United States 24->50 52 api.ipify.org 24->52 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->62 64 Tries to steal Mail credentials (via file / registry access) 24->64 66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 36 conhost.exe 26->36         started        54 api.ipify.org 30->54 38 conhost.exe 32->38         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 16:47:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7g4lv7o4bdpwcim5yw4oa7iw2hijet5x5nutz4hzf7c3t3bo55q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
216509ca0f82c10daa1b7ea155f150766effa1270b1cc4d946f7b6d26851f092
AgentTesla
59881fd0b6ff879c3e30f5c581ba0724fdb854176893af098333f8cf13222f9a
AgentTesla
6e8160f23b32743ffdcd853036d351c0ec4410d61f28254854b0ec6abdfb4fc3
AgentTesla
85913d4430d1da9a29e295d98d21997c90edf6d3dea08c709c81e5c8302c3e0f
AgentTesla
9a8c1fe1c53db8a44a8971664845fc5a63f34199504f3156101d8005059247a9
AgentTesla
9b2b9f8f70057a1d60700f490e59ae93972ce2fdfb852770ae08fdfff72a0611
AgentTesla
f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775
AgentTesla
+ 1'237 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230308-t5dezaeh7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/a83b698f-85c2-4548-8a3d-e2c15cf8eddf/
SH256 hash:
7a796f8a02bf30d58545c687eab7798307a2465d8606dddbfb65ef27dff74560
MD5 hash:
99eb46ee97146fd3deffe6c0d3179203
SHA1 hash:
b955775b41581ad9665099409d601ed7fbf5110a
Link:
https://www.unpac.me/results/a83b698f-85c2-4548-8a3d-e2c15cf8eddf/
SH256 hash:
cfda4b81ba07bebe0c33b27727312a720780a057bed8c7b2e3a4e243aadc46a4
MD5 hash:
eef8d2077bb18b8bf564eed4b29f4d82
SHA1 hash:
6420a9dcd8305e125618e79eaa07950a00c79aed
Link:
https://www.unpac.me/results/a83b698f-85c2-4548-8a3d-e2c15cf8eddf/
SH256 hash:
b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b
MD5 hash:
1ded1cdd72e54c2f3cc59118804d41c7
SHA1 hash:
5800259deac2b78977da5e36e175386f0a8f89e4
Link:
https://www.unpac.me/results/a83b698f-85c2-4548-8a3d-e2c15cf8eddf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7cdc5d7eee0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/372648/

Comments