MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6
SHA3-384 hash: 76778970055d6333449b0c1e0d8b6981078153d42e9b6bcfb147b4c1dc7d760ee3164e1215648db8f0dec6a57e7b6c0d
SHA1 hash: 7f0fb69877f1190050a4a0193ac6b5a6cdec2b57
MD5 hash: 17809ada8c8f037b1fe8a428904cc6b6
humanhash: stream-five-robert-finch
File name:PO 278198726- New Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'072 bytes
First seen:2023-04-18 02:52:56 UTC
Last seen:2023-04-20 05:57:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:MQ7PCFKYTzAGTrNXTOHqPW3f0CEtcxf6q3dox3pj7AC5OScPPGFMWDPpt:d7EKcrNyz3I2i8CkP4McPpt
Threatray 295 similar samples on MalwareBazaar
TLSH T1ACE4D01613D8ABA8F57EC73242741B4463F9FDEA2612C38F3E2161E41D236859B5B3D2
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
521
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 278198726- New Order.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 02:55:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab573743-fe60-4c2a-aa70-887bb6c91793

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382910/
Detection(s):
Sanesecurity.Malware.25544.7zHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a file
Launching a process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e0610b197bbdcf7dc3e71/reports/3b9c907b-27d8-422e-b1ab-b50aab2df9f3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ebce936f-b0f1-4bb5-9a41-5a544f74037a
Result
Threat name:
DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215611
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848539 Sample: PO_278198726-_New_Order.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 5 other signatures 2->50 8 PO_278198726-_New_Order.exe 5 2->8         started        12 653hytddfggyhiky.exe 3 2->12         started        process3 file4 36 C:\Users\...\PO_278198726-_New_Order.exe.log, ASCII 8->36 dropped 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->58 14 cmd.exe 3 8->14         started        60 Writes to foreign memory regions 12->60 62 Injects a PE file into a foreign processes 12->62 18 InstallUtil.exe 2 12->18         started        signatures5 process6 file7 38 C:\Users\user\...\653hytddfggyhiky.exe, PE32 14->38 dropped 40 C:\...\653hytddfggyhiky.exe:Zone.Identifier, ASCII 14->40 dropped 64 Uses ping.exe to sleep 14->64 66 Drops PE files to the startup folder 14->66 68 Uses ping.exe to check the status of other devices and networks 14->68 20 653hytddfggyhiky.exe 2 14->20         started        23 PING.EXE 1 14->23         started        26 conhost.exe 14->26         started        28 PING.EXE 1 14->28         started        70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->70 72 Installs a global keyboard hook 18->72 signatures8 process9 dnsIp10 52 Writes to foreign memory regions 20->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->54 56 Injects a PE file into a foreign processes 20->56 30 InstallUtil.exe 20->30         started        32 InstallUtil.exe 20->32         started        34 InstallUtil.exe 20->34         started        42 127.0.0.1 unknown unknown 23->42 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 02:50:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ab5dzpzm7j4ieynii5om5jscx4exq4ezntyafpdhedl63rr5exta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bf8d1b56d9ee5eae096286c987f3433ee9e1141afdd45581c0b644316e2fdb2
AgentTesla
135cbc54b63c8ec17f8174791d5fdfce239e587a319a335d4c22ef7e7ec225d0
AgentTesla
24055d43a09021ce0a445076e9b729b335a726937080337752854f2883103f67
AgentTesla
3c95ad2e565262c2324a40bb1778e70a197d6452a9a7457d0fd639befa1466d4
AgentTesla
3d7a7cad37509dedfd5d195c2f974e4ed7b2a03ead71e4744d753f40a3d4b43d
AgentTesla
4c21291a6890e6891831f113c48b40857a7ba0af0f13af3031425b81a1f2c776
AgentTesla
60a45dd4711c5aaa146e4b973d33934a6e7e29e530666202b7a88a6fb845ccb1
AgentTesla
8fa5ac8d44ea6dceea6a581c52fe4e336be7a60c710c50d405833d2ceed7bcf4
AgentTesla
b499cbf56149c33fc6e105f9121d8c985e5dff6f5e4201184a012673a94b98b4
AgentTesla
ba484a35c10e0de7b344da174c26560e29bd3fe895216f9d03c0ce1cfc3de706
AgentTesla
+ 285 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230418-dda8jahd59/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6
MD5 hash:
17809ada8c8f037b1fe8a428904cc6b6
SHA1 hash:
7f0fb69877f1190050a4a0193ac6b5a6cdec2b57
Link:
https://www.unpac.me/results/7b087dd4-1018-4379-bfda-1a9925a54d2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z c7c3244c20d85777f3467b0e64b0602d6bdb59b807f39bdb24335363ebe3d3fd

AgentTesla

Executable exe 007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c7c3244c20d85777f3467b0e64b0602d6bdb59b807f39bdb24335363ebe3d3fd
Cape
Cape
https://www.capesandbox.com/analysis/382910/
  
Dropped by
MD5 b9010dc0763ffeb6d816ea4b2ffc0157

Comments