MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7
SHA3-384 hash: 701bfa4b25785cc29047dfe41a8c3c4f717e48e18d72d258abccf65404a9eb29e928349ef532b8195ffb67e4279a0c39
SHA1 hash: 742584a7c378a8ac4e343da62d0830cee6710cdc
MD5 hash: 9ba96ca6975b3149c424bb9d91f6ad57
humanhash: table-network-jig-potato
File name:PURCHASE ORDER #762812.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:492'032 bytes
First seen:2023-06-15 23:14:56 UTC
Last seen:2023-06-22 08:44:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:nl76TbzSguh7kiDxnGr6QJ+kroYL2+Xv5VkTMmjAbssKssVs9SyENn:l767SBhkSGrPJ+io+V4ussKssVs9dA
Threatray 2'824 similar samples on MalwareBazaar
TLSH T114A47D3A3610D6FAED080930C8B2CE5E6DA13C3696E40901E398775E573B169BB3F5B5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b269dcdce8d469b2 (1 x AgentTesla)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
370
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER #762812.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 23:17:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f971c71-592b-4a7c-9108-6c1fa3935148

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399353/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.28470.12724.25302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker cmd.exe lolbin obfuscated packed packed
Link:
https://www.filescan.io/uploads/648b9b78ec3d0b10ee42806a/reports/fc100920-d94b-4790-8fac-ba163e28521b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d3addab-241c-4493-b3ae-f1899b5cd387
Result
Threat name:
AgentTesla, Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255696
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops PE files with benign system names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Redline Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888716 Sample: PURCHASE_ORDER_#762812.exe Startdate: 16/06/2023 Architecture: WINDOWS Score: 100 117 Multi AV Scanner detection for domain / URL 2->117 119 Found malware configuration 2->119 121 Antivirus detection for URL or domain 2->121 123 8 other signatures 2->123 9 PURCHASE_ORDER_#762812.exe 4 2->9         started        13 svchost.exe 2 2->13         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        process3 file4 101 C:\Users\...\PURCHASE_ORDER_#762812.exe.log, ASCII 9->101 dropped 145 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->145 147 May check the online IP address of the machine 9->147 149 Drops PE files with benign system names 9->149 19 PURCHASE_ORDER_#762812.exe 15 9 9->19         started        24 cmd.exe 2 9->24         started        32 2 other processes 9->32 151 Antivirus detection for dropped file 13->151 153 System process connects to network (likely due to code injection or exploit) 13->153 155 Multi AV Scanner detection for dropped file 13->155 157 Machine Learning detection for dropped file 13->157 26 svchost.exe 14 8 13->26         started        34 3 other processes 13->34 159 Injects a PE file into a foreign processes 15->159 28 svchost.exe 15->28         started        36 3 other processes 15->36 30 svchost.exe 17->30         started        38 3 other processes 17->38 signatures5 process6 dnsIp7 103 product-secured.com 19->103 109 5 other IPs or domains 19->109 95 C:\Users\user\AppData\Local\...\svchost.exe, PE32 19->95 dropped 125 Tries to steal Mail credentials (via file / registry access) 19->125 127 Installs a global keyboard hook 19->127 40 svchost.exe 3 19->40         started        129 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->129 131 Uses schtasks.exe or at.exe to add and modify task schedules 24->131 133 Drops PE files with benign system names 24->133 43 conhost.exe 24->43         started        105 64.185.227.155, 443, 49697, 49705 WEBNXUS United States 26->105 107 product-secured.com 26->107 111 2 other IPs or domains 26->111 45 svchost.exe 26->45         started        113 3 other IPs or domains 28->113 135 System process connects to network (likely due to code injection or exploit) 28->135 137 Tries to harvest and steal browser information (history, passwords, etc) 28->137 47 svchost.exe 28->47         started        115 3 other IPs or domains 30->115 49 svchost.exe 30->49         started        97 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 32->97 dropped 99 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 32->99 dropped 51 3 other processes 32->51 53 4 other processes 34->53 55 4 other processes 36->55 57 4 other processes 38->57 file8 signatures9 process10 signatures11 139 Antivirus detection for dropped file 40->139 141 Machine Learning detection for dropped file 40->141 143 Injects a PE file into a foreign processes 40->143 59 cmd.exe 40->59         started        61 cmd.exe 40->61         started        69 2 other processes 40->69 63 cmd.exe 45->63         started        71 3 other processes 45->71 65 cmd.exe 47->65         started        73 3 other processes 47->73 67 cmd.exe 49->67         started        75 3 other processes 49->75 process12 process13 81 2 other processes 59->81 77 conhost.exe 61->77         started        83 2 other processes 63->83 85 2 other processes 65->85 87 2 other processes 67->87 79 conhost.exe 69->79         started        89 2 other processes 71->89 91 2 other processes 73->91 93 2 other processes 75->93
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 23:48:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7eygv7iheyohtwphouws6vnwqsudxq6psnbipbqve6bn7slmplq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07f01993306030d708dc2b5b42d4a6aef41c0c2f597aca066138689a6722a25d
AgentTesla
0a4e71d138b64a3b8b5b1e99b662536590a48e0bd1a993cff6a4dd98dd84f6cd
AgentTesla
158d9c5a8c7290c638708e4843cb732e395c1ef4d782e1425220cb54467f27dd
AgentTesla
242e20fc56e288cfc053bde6513329683785b487787bf209fd94a5215110552b
AgentTesla
2e5e690fe5a9607c51574cd1e8444591a9dd524fafc78911ff9f09ee5242bff1
AgentTesla
54b8c91ae0485d795f9821b01eb839bd682aee18df6a0b54d14d6eb2a2c0e83d
AgentTesla
816dcc8bb5070ed2db687bdb064a383c946c8183f5e0c089f2453653be8a3086
AgentTesla
8f4a4002934b09591e8b6f95a9ec20ff0ae4ddc48dd869bd76fc9d9f9c59f72e
AgentTesla
+ 2'814 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230615-28jp6abg28/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
AgentTesla
Unpacked files
SH256 hash:
aa1adcaf529661c6cc84b1125cea00157aa5cd4852db020336db592ec70bdce0
MD5 hash:
57adf50b29b65dbeffa2d60298197fbb
SHA1 hash:
ad7c188fb423545d77f457c899ca2442966d825c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/007a116b-5bb1-4131-a7fa-15cf91106d10/
SH256 hash:
c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7
MD5 hash:
9ba96ca6975b3149c424bb9d91f6ad57
SHA1 hash:
742584a7c378a8ac4e343da62d0830cee6710cdc
Link:
https://www.unpac.me/results/007a116b-5bb1-4131-a7fa-15cf91106d10/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7c98357e839/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399353/

Comments