MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7fce13687202b513b037fc478729270150f3a903ef601e274cd5bbe23a3df0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7fce13687202b513b037fc478729270150f3a903ef601e274cd5bbe23a3df0b
SHA3-384 hash: 9f1d8ab65b8ff40c1afb7a4e2ae22dc7b73e1e2ea66d169ef38f49eabfb9704cd418dd0a3eb0590232d41ff9608c1f43
SHA1 hash: edc8c4d0983e67f8ae9f4e39de4f48dcfb9cc5cd
MD5 hash: f729d1394542a388e866f188a3f0a2f6
humanhash: bakerloo-johnny-nine-arizona
File name:SecuriteInfo.com.W32.AIDetectNet.01.1557.3000
Download: download sample
Signature AgentTesla
Create hunting rule
File size:655'872 bytes
First seen:2022-07-06 19:32:01 UTC
Last seen:2022-07-07 13:15:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8En27FttmDltys6yNWAJ++bLqUjo+GDG2ruxQ0KxsRSRUcIwF8:8jdajUSLqmovDG2UKxpTa
Threatray 19'648 similar samples on MalwareBazaar
TLSH T104D423606BF19216ECFD61B4A1BA225037F13B60D731CB247DA8727A7D2E3AC4153762
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4b84de2e04dbadc (4 x AgentTesla, 3 x SnakeKeylogger, 3 x Loki)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285243/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.1557.3000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62c5e33411764e36f81be066/reports/95dfba7e-38ec-445c-b0fd-1b5b04ffdc22/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1108faed-b4c7-41c5-8e05-4615cb6fadbd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1025887
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 658382 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 06/07/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 7 other signatures 2->41 7 SecuriteInfo.com.W32.AIDetectNet.01.1557.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\HfrkSCptC.exe, PE32 7->23 dropped 25 C:\Users\...\HfrkSCptC.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpC4C8.tmp, XML 7->27 dropped 29 SecuriteInfo.com.W...Net.01.1557.exe.log, ASCII 7->29 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 2 other signatures 7->49 11 SecuriteInfo.com.W32.AIDetectNet.01.1557.exe 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 99pancakes.in 103.21.58.15, 49743, 587 PUBLIC-DOMAIN-REGISTRYUS United Arab Emirates 11->31 33 webmail.99pancakes.in 11->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e7fce13687202b513b037fc478729270150f3a903ef601e274cd5bbe23a3df0b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 17:32:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=476ocnuheavvcoydp7chq4usoakq6ouqh33adytuzvn34i5d34fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bd49bd6eef0e96e0dd549eb7e3f4afdc49f6c2f1771ad644bd8d2bc4358b9d9
AgentTesla
51470b54c5f205002945f7a1977dcc11ffc35436335247181445d5afb9988740
AgentTesla
5a9b7d77317d0a0aeba87971e7ddc528a96eca2f95351e190d6b09701f78fa44
AgentTesla
6cfbf205225e6ba71eb7f9d214e2d93d932946eb7ff5821f9027c589a4e2ae77
AgentTesla
8f694c851db857028d90c62e8040b9c1282e58f493e32e64acf5424d8fa6a1fb
AgentTesla
9fa87d09a940bbc228fd02a5d41f562988e32d2c76a7f86437285b6e19d4513a
AgentTesla
b1b2dbf6aa0264052009067c102812bf5b7851b52c480056481445c0024a7946
AgentTesla
c24fe8f2829486059e49a179960a0ea6414ed4ef3af24a2597a9ce720b81bc43
AgentTesla
+ 19'638 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220706-x8x6bsaec4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
b631afc8cd9c36db17ad4fee4e123829a52fa6ed4e43c1fb4ba8ad4482f82163
MD5 hash:
92a94b634f609a660946fc6bdc45752b
SHA1 hash:
d75b39ab7f2a61ac2574883d01f74e136354b7d8
Link:
https://www.unpac.me/results/ebd5d0f8-8d5e-4338-a64a-f7c91bd8e026/
SH256 hash:
928f1a56a042c44cd29a4ed2ff43cf190e4039ef0c7ee60b8d064d3192fb8a42
MD5 hash:
2cc256246aae37e3a9573dc29bce450d
SHA1 hash:
bd82399f6393e995cc5724d2f245a5788490c960
Link:
https://www.unpac.me/results/ebd5d0f8-8d5e-4338-a64a-f7c91bd8e026/
SH256 hash:
0166843b3183005ad18535ebeb186784e89298f58cb79e41b782297f32381667
MD5 hash:
511ed19058ab41c4fec1e07b455673ec
SHA1 hash:
a4a10e8a31a3ec92f1b456d575e1d4e294ff83d9
Link:
https://www.unpac.me/results/ebd5d0f8-8d5e-4338-a64a-f7c91bd8e026/
SH256 hash:
39aa0f0f0b92affcdbc5680ea01978d087a613a122f8bd3415c7631ddc412f02
MD5 hash:
ccf3797c7d4f8ef4b2ebc17f2eb5329e
SHA1 hash:
68b12bdcce70a3aecb51a1891c1fe4f88634037f
Link:
https://www.unpac.me/results/ebd5d0f8-8d5e-4338-a64a-f7c91bd8e026/
SH256 hash:
a0a202e6ec4c2d847d9749d9989fe58dbd16b7b129df10b000c4de508648fcf6
MD5 hash:
ac6f7f7c2e76957cd1816bdc0128d4c1
SHA1 hash:
143032f85f4b66d3a0d4a429928cab5bad748458
Link:
https://www.unpac.me/results/ebd5d0f8-8d5e-4338-a64a-f7c91bd8e026/
SH256 hash:
e7fce13687202b513b037fc478729270150f3a903ef601e274cd5bbe23a3df0b
MD5 hash:
f729d1394542a388e866f188a3f0a2f6
SHA1 hash:
edc8c4d0983e67f8ae9f4e39de4f48dcfb9cc5cd
Link:
https://www.unpac.me/results/ebd5d0f8-8d5e-4338-a64a-f7c91bd8e026/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7fce1368720/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7fce13687202b513b037fc478729270150f3a903ef601e274cd5bbe23a3df0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 948f87e737138592b1e6f54771efa2f975dd9f65cea4b3b41751ada88f9c0048

AgentTesla

Executable exe e7fce13687202b513b037fc478729270150f3a903ef601e274cd5bbe23a3df0b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/285243/
  
Dropped by
SHA256 948f87e737138592b1e6f54771efa2f975dd9f65cea4b3b41751ada88f9c0048
  
Dropped by
MD5 570c93d65cbd9a5b817370abb6ca00ad

Comments