MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07d837ca182080435013ec54fd8be82904502e62363c84de204f5ff991a191e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	07d837ca182080435013ec54fd8be82904502e62363c84de204f5ff991a191e8
SHA3-384 hash:	1893955d7dbf3b332a15936d7080be874d3cc2fbfd4440c7fd3c0e53130e7c4124d6f333aafb4907dbc80c69460b1e06
SHA1 hash:	79a8b33d5d43cfdd47ec0a30d6c6babe6e7936a1
MD5 hash:	9f2a5bfdc96beaf41c4c0a77c9cc1eb4
humanhash:	tango-four-fix-magnesium
File name:	TİCARİ BELGELER VE ÖDEME DETAYLARI.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	884'736 bytes
First seen:	2023-12-04 09:25:02 UTC
Last seen:	2023-12-04 11:22:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:EvCe+rYESCVPjkguQUQqzjFNxnFyZakskuD3jYRvGhzQEeknDqz:Eqe+ACVPpuQ4z5NxFu7uDTYRvG2UDq
Threatray	4'649 similar samples on MalwareBazaar
TLSH	T14B155DD1F15088DAED6B09F1BD2BA5302493BE9C54A4410C56AEBB1B76F3352309FE1E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

Vendor Threat Intelligence

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/07d837ca182080435013ec54fd8be82904502e62363c84de204f5ff991a191e8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f711dd30-9c61-42d4-8de4-494305a06fa8

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1353021

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/07d837ca182080435013ec54fd8be82904502e62363c84de204f5ff991a191e8

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/07d837ca182080435013ec54fd8be82904502e62363c84de204f5ff991a191e8/

Threat name:

ByteCode-MSIL.Trojan.Spynoon

Status:

Malicious

First seen:

2023-11-20 07:00:17 UTC

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a7mdpsqyecaeguat5rkp3c7ifecfaltcgy6ijxraj5p7tenbshua._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

0c0b8cfcdae8cc7d8a0b193e9e14d060138396c1c3635ba1f346b2836a51de0b

AgentTesla

2100dd57077739bf596266ed7d339e7d7ab676715720e81fe8005c3f0c1a870f

AgentTesla

ad7cecbbae93e5f9899d2600ce0a0516b185c7b31f778916be4c534beba1cc8b

AgentTesla

f281d0cd25d9dc8b85212323cb16829069afc3978f6f89b3b10d228da0da5d35

AgentTesla

+ 4'639 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231204-ldmkkaac63/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

a3a79347b0a9e33605bcca2e940e28014600e3216a25a9a4a66bf42eb62de8f4

MD5 hash:

9f9b29a0cd358012b680dba7c7018573

SHA1 hash:

fb5e13cd0046b3626c95028775423996c930a49e

Link:

https://www.unpac.me/results/0ca4c261-1757-408b-a950-f84357ad477b/

SH256 hash:

33407b5942a854752634f26ce539997cb11e38ead1cd1324323217edeab3aacc

MD5 hash:

a09190bfe8b107ba47f618515e5a307f

SHA1 hash:

d6d7bee4606f6825af02ccda20ca7cb7a63e26ba

Link:

https://www.unpac.me/results/0ca4c261-1757-408b-a950-f84357ad477b/

SH256 hash:

37a8aa330fe8317b5308d54f5cabad6d958de33877392b46e8d1368bf312e862

MD5 hash:

f56c17876aec752d32eb662ac334fac1

SHA1 hash:

d461910db1922999d99d75e1585c1ef18adca24e

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DiscordURL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/0ca4c261-1757-408b-a950-f84357ad477b/

SH256 hash:

271435237db807db846c02b054f863f9ddafb905bdbf812b5200d7d03ea8d0b2

MD5 hash:

56520b48355be8b9724ed7fbbe6157ef

SHA1 hash:

6e62af17faab34c07857550c7b60b91b61d8fbdf

Link:

https://www.unpac.me/results/0ca4c261-1757-408b-a950-f84357ad477b/

SH256 hash:

07d837ca182080435013ec54fd8be82904502e62363c84de204f5ff991a191e8

MD5 hash:

9f2a5bfdc96beaf41c4c0a77c9cc1eb4

SHA1 hash:

79a8b33d5d43cfdd47ec0a30d6c6babe6e7936a1

Link:

https://www.unpac.me/results/0ca4c261-1757-408b-a950-f84357ad477b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/07d837ca182080435013ec54fd8be82904502e62363c84de204f5ff991a191e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample