MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7c371447c3d8864f1dbba9a588ec08c3e419999ef31cc96446c9c1d0e5368fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7c371447c3d8864f1dbba9a588ec08c3e419999ef31cc96446c9c1d0e5368fa
SHA3-384 hash: 60422633cc6bffbbf57b531338d570d26c8fbf5a0da4821d7b33a5a71f57620927016daa1422f4a83bcf5b47459d5e5d
SHA1 hash: 57b1e8733fdea2bbab394ef01ff4691a53b9242e
MD5 hash: 227a3b1bb579f2a92bea8cba9f5c227d
humanhash: nineteen-mockingbird-xray-iowa
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'417'728 bytes
First seen:2021-05-26 07:32:58 UTC
Last seen:2021-05-26 09:19:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:7PUfoCj8Wjl40HW0mpVYi8XgSAj5C5/sm24XAJoj4+F3qUVKBMkV:7PUfnjLZ4npEqj5CmlojVsBP
Threatray 125 similar samples on MalwareBazaar
TLSH B3655D5D66646B21F07C8376C9E5480393FAF8039302DD5EACD133EC5B63B967A4262E
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162254/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.763.30673.16404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792414
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 424810 Sample: SOA.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 7 SOA.exe 7 2->7         started        11 newapp.exe 5 2->11         started        13 newapp.exe 4 2->13         started        process3 file4 35 C:\Users\user\AppData\Roaming\QhCLQWytG.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp4235.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 7->39 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 15 SOA.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 schtasks.exe 11->21         started        23 newapp.exe 11->23         started        25 schtasks.exe 13->25         started        27 newapp.exe 13->27         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->41 dropped 43 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->43 dropped 45 Tries to steal Mail credentials (via file access) 15->45 47 Tries to harvest and steal browser information (history, passwords, etc) 15->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->49 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c7c371447c3d8864f1dbba9a588ec08c3e419999ef31cc96446c9c1d0e5368fa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 07:33:08 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7bxcrd4hwegj4o3xknfrdwarq7edgmz54y4zfsensob2dstnd5a._file
Verdict:
unknown
Similar samples:
07245aa4f477bc6d09c4e1144b5c842f4c52f08d4f038fe87cdc7a001d445b7a
AgentTesla
15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0
AgentTesla
210cbbd90b467031aad3494fce1ca5fdc1a5935301b64ef6d5c9b19a0144a056
AgentTesla
2c05b6ff91589483de5e7ceac7fe88cf865fa0c37c7e5704218a75b4f747595a
AgentTesla
67e3f2f06267750e9f6a6eeb599517a373b2b0d8bd886ba882b5cf083ad51ae4
AgentTesla
9885e59ed40fe0dd7227188294b241c1c4d2d488c656c2409648efeeaf560d07
AgentTesla
988bbad8a48d5a66c06478290c947492ae662576793a26028d9a87fa652b84aa
AgentTesla
b0f770f98c7385bdc31fdb8429b6d6e31e40a005cfdaeb9539f92eac357ba486
AgentTesla
e07c6115d9384a13918a22ac6f22631f78a9f18f8eaf3a945c6ba80ba91d713e
AgentTesla
f7b3e95c6a5da0562c321e46442d654d2caec7ab506cc7cf440356f235aed9fe
AgentTesla
+ 115 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210526-sw4xjhfnys/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7c371447c3d8864f1dbba9a588ec08c3e419999ef31cc96446c9c1d0e5368fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162254/

Comments