MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7
SHA3-384 hash: f9fab2cbb40b23a0d828ec4482e0009a049fa1c2baad382b66048901fd4a47b917a495a9e22ea8d192583be56125a791
SHA1 hash: f1b2a17149734bb2eef62de13396743455aefbec
MD5 hash: 98b5d1281fc45604bb645cd9eea268b4
humanhash: bulldog-east-angel-mountain
File name:98b5d1281fc45604bb645cd9eea268b4
Download: download sample
Signature AgentTesla
Create hunting rule
File size:649'728 bytes
First seen:2023-09-29 13:14:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:L2AyiRJU/WcO3IWKkljH7XNhvphKMuc84jg4Y85lY1MXtU5:S/FeL3IWKKbbbphKc84jDY8T7O5
Threatray 3'581 similar samples on MalwareBazaar
TLSH T18BD4012077F90B5AE5BACBF604691A0857B9B16E3016F60C4DC370EE06B5F808B95F97
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00e49a72729ae400 (9 x AgentTesla, 4 x SnakeKeylogger, 3 x Loki)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451993/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2402.944.23248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6516cdda33582f234e06f857/reports/62e1cc3a-f1c2-4e97-879d-c2f29b32b9c2/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILMamut
Link:
https://www.hybrid-analysis.com/sample/e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b797cc72-9531-4335-b2ae-b66caeb89603
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316606
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316606 Sample: tzCuIASNQp.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 7 other signatures 2->41 10 tzCuIASNQp.exe 3 2->10         started        process3 signatures4 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 13 tzCuIASNQp.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 4 6 13->16 injected process7 dnsIp8 27 busvenezia.com 195.110.124.133, 49827, 80 REGISTER-ASIT Italy 16->27 29 clinicadralidicisantana.com 51.254.53.102, 49829, 80 OVHFR France 16->29 31 15 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 cmd.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 13:05:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46gju4j2izui6vyizdpd7kebm4fqx5qatvttipjqsbldbmb2d7dq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
2d3c7fefde60268ec96906144d74058651f6d5d7ed5993a8b1ed00ca40a2d7f0
AgentTesla
4baf37305afca03942dfd3f13c173cd45d587cd358adde2b6f1596fc761eaae2
AgentTesla
be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89
AgentTesla
c121eae871db09a878d790146f551a88f652fa3c0b56627674dc5ba9f05e04bc
AgentTesla
ca92353954eb428f99d73b11f26650f1ed59df39a99a04d45552c8b9ba4e1459
AgentTesla
ce345574366b94994a2aade4a96ade0eee23ad088211416b5695166cd251ec61
AgentTesla
d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e
AgentTesla
f31be72f929b86c056e683db26b8ec78a40f3d1156821fca58901189a8ee965e
AgentTesla
f90f3b5208e8e8089d318234c5e041db74317c142934594530e0486e0329b23f
AgentTesla
fd1e8b3716764f552b7350c4612cfc64b152ded240b6f2a38426d43efeabc7b2
AgentTesla
+ 3'571 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:pr17 rat spyware stealer trojan
Link:
https://tria.ge/reports/230929-qg8pescc47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
f6f5523db4434a6fa9913d3e447bc31cc030762130ad319e3c34efb5039787ba
MD5 hash:
0d8a5bf822018ceaf74368e1b7288579
SHA1 hash:
3e1e508eeedabc8b8de9376f0f7bdfdd3ce3398a
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/89785154-35c0-4088-a691-95ef689cc1db/
Parent samples :
e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7
afd193c804de7b5b9e18a0f385233c2706175b30bab03afe82be899e08689b82
SH256 hash:
a655be43f79d44bf3e6720e6e1aa99b8fd94785cd46707d9a0dd48a10e4d20c8
MD5 hash:
7c2c98a1bc1af93e1bc1e0c933915b8e
SHA1 hash:
c5c3a2e553fdfa9010cf11b582fe3399c5551ffd
Link:
https://www.unpac.me/results/89785154-35c0-4088-a691-95ef689cc1db/
SH256 hash:
09c872c46657f5d708d60e5e08976ea0e951343049f16939f3d974314afbe901
MD5 hash:
3224a009fa357ed0937e085069be6dbb
SHA1 hash:
3f7214f1c046d98840df7129082e7e1aeb55bf81
Link:
https://www.unpac.me/results/89785154-35c0-4088-a691-95ef689cc1db/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/89785154-35c0-4088-a691-95ef689cc1db/
SH256 hash:
e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7
MD5 hash:
98b5d1281fc45604bb645cd9eea268b4
SHA1 hash:
f1b2a17149734bb2eef62de13396743455aefbec
Link:
https://www.unpac.me/results/89785154-35c0-4088-a691-95ef689cc1db/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e78c9a713a46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e78c9a713a46688f5708c8de3fa881670b0bf6009d67343d30905630b03a1fc7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/451993/
  
URLhaus
https://urlhaus.abuse.ch/url/2715069/

Comments


Avatar
zbet commented on 2023-09-29 13:14:56 UTC

url : hxxp://185.28.39.18:7777/185.28.39.18/prosperzx.exe