MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10
SHA3-384 hash: d33bf7a4579d8dbe36937016c4d0182a3f31f3060cf30957639dbdf6403dacb96bf8825fb06bac53380d5ec85d9602a6
SHA1 hash: ce5e88288576ed815c617f29580a0edd40b12dca
MD5 hash: c6437d60040cb3d955710cd344cfd612
humanhash: eight-oklahoma-william-wyoming
File name:Hmyteqkp.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'663'488 bytes
First seen:2023-11-13 18:33:02 UTC
Last seen:2023-11-13 20:54:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:AsEOyQdr7QcqeLj3G4l+tgDlghMdv2MY2f1ctde3ZWch036YUY6dVXjSjz6:azQdVX3tx5Y2f1ctde3D263nW6
Threatray 1'832 similar samples on MalwareBazaar
TLSH T18675E80BFA478BB1C269273EC6D70C1CA370E5416693F75B3A8A236918E33766D4560F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
333
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10.zip
Verdict:
Malicious activity
Analysis date:
2023-11-13 19:05:21 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/9c48c375-1e8d-4f5d-9b81-76240d9a539b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/458409/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31207.9856.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
DNS request
Sending an HTTP GET request
Creating a window
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65526c21993fbf888b74303e/reports/bdc88553-67e1-45ab-a39e-18cbb0fce4fc/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ce7a15d-559e-4e84-9a4c-dce3a2bcad24
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341914
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-13 10:27:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7q2pr63jbru3k3qkvwum3wqxc2nvbnsquu3fmtducsgwpye3uia._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
Similar samples:
2b0e3076792cbaad1206b064b9f0dbcde8b22918d0063233c8d354f25ec5285a
AgentTesla
3854cd33e108ddb1a962d791ac6098619bd7047a9c297f11fb96653a45aa3897
AgentTesla
4979d51c93d480bc32b1de7fe0d366d0a6fc93301e46ad4dd8a2089d26e57065
AgentTesla
56cb155038e669d3008542380999cc6679800ece2b258cab31ff838e6df4415e
AgentTesla
79d976cea79bce9e0f920d918af0f1b0721266ca091633ae37811e088b04d1ec
AgentTesla
b7d6a1034526c45dcdd4f88061de0b13047d330a97ed1d5466d7717190db8ccd
AgentTesla
ca528eb30885238a7e594075c68afe244602e2438da103c98ddd81cbdeaffa2e
AgentTesla
fb88365884043fb264c0bb3d9291a58cfd5955468f35bfe77154b316981bdaa6
AgentTesla
+ 1'822 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231113-w68cvafa29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d7c15bf5a145a117c4a547b2fecb07280543841afb35de0b6f7d308096c2e047
MD5 hash:
6d2186e5a6a078e89f232e354bb34166
SHA1 hash:
fc2341721d89b8d8808d0aa57c10c2db1be6f2e7
Link:
https://www.unpac.me/results/68ca79f1-7465-413f-854c-b21e65f6b674/
SH256 hash:
78cb6a307742b998d5ab038ab0a39d8983385dad13d7bd7c2628b4d9a8d92340
MD5 hash:
ce390a882717a396d36ae142461c7750
SHA1 hash:
c780e00415d58ff4d2fb6e49a2e2c439caa6238c
Link:
https://www.unpac.me/results/68ca79f1-7465-413f-854c-b21e65f6b674/
SH256 hash:
c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c
MD5 hash:
a7770cd05872881f3e47e8a9041748fd
SHA1 hash:
7606e077fdeb8dc5fbffbf428260baba4f0ba470
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/68ca79f1-7465-413f-854c-b21e65f6b674/
Parent samples :
07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10
b90922b5e35d6368d5ae449c45a111323f5d3b883416b0c13df5c1ecaa25d9bf
0bc70feb553bde362d94c650261f67ba9c56502ad04c838ff2d7c4fc49a45fb1
6fd650e4f7d88a81503ca6a6ba8d21abbdd0a6d14086bfff03d1b5cc89625eaf
5c7d5f2261c2faa3edb70a55eb5a53deb84557f80d7fa339d5ec82999f1ed213
d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b
SH256 hash:
e954fed97897e118e5c53a81d7c977ce9a23af008de693f293086030e229cbec
MD5 hash:
d91dab214f3c859bdbb23fc867cfc174
SHA1 hash:
7532b5ce1cb52c7201b0b17a0054c02c0cc71d38
Link:
https://www.unpac.me/results/68ca79f1-7465-413f-854c-b21e65f6b674/
SH256 hash:
bc3565f7039fc56ae027ebb5726762af9a196e3870248d5b2e667b83a6a0769e
MD5 hash:
2073cc3184f62300dfca232c7be01f12
SHA1 hash:
6e8717159b840afa0728ec3274cb89cb063706ce
Link:
https://www.unpac.me/results/68ca79f1-7465-413f-854c-b21e65f6b674/
SH256 hash:
07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10
MD5 hash:
c6437d60040cb3d955710cd344cfd612
SHA1 hash:
ce5e88288576ed815c617f29580a0edd40b12dca
Link:
https://www.unpac.me/results/68ca79f1-7465-413f-854c-b21e65f6b674/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07e1a7c7db48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/458409/

Comments