MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c7e2ea86b0fd1398de43240daca82e38dcec78f266d76ddf5bd5ba68a721d2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c7e2ea86b0fd1398de43240daca82e38dcec78f266d76ddf5bd5ba68a721d2f
SHA3-384 hash: ae5802af15c885676713b1c21b7dd617384f98c7a60cd96e824e14f2182afd05549835eabd3ac3b209c71def8a0ada98
SHA1 hash: f6f6cd16614c3bdb4497634eb525c04bb11cfda6
MD5 hash: f232bc83dbea94159cc84aba926eaa6f
humanhash: leopard-jig-venus-magazine
File name:f232bc83dbea94159cc84aba926eaa6f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'257'984 bytes
First seen:2021-07-23 17:13:54 UTC
Last seen:2021-07-24 12:18:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:pJjAKND1LIQgBPiXVl6/FQT8D3pJBPvnv:pJjN9IQEiXD6NLPvn
Threatray 7'319 similar samples on MalwareBazaar
TLSH T1CB45D0F01AB0C994DE8B0739CF3E69B63E2A20FF974107D2A5B946942587FD5DC829C4
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f232bc83dbea94159cc84aba926eaa6f.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 17:15:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08ba6bd2-27f0-42ba-a5e7-2d8ab7556256

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173733/
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53dbd874-d1a3-4c27-a4ff-bb96917ed947
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/820952
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c7e2ea86b0fd1398de43240daca82e38dcec78f266d76ddf5bd5ba68a721d2f/
Threat name:
ByteCode-MSIL.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-23 17:14:19 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=br7c5kdlb7ittdpegjanvsuc4og45r4pezwxnxpvxvn2nctsduxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
284f84d96664f2cd87973b7251e93e4e6dd0f954ec5f043c9f95e5cbddeb6420
AgentTesla
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03
AgentTesla
6e8ba9ccbcfe6fb5e8ff5ba198398b3e7994f8afc6d51140496a3b4c1d67e20f
AgentTesla
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386
AgentTesla
cf3f60295611af5ef3e9c80a9ab1a09928431a8c4a1561f7139267db480e05cc
AgentTesla
d0161531f5293cd6ed32289dbdcac085c08fcb305d66f0905f2ec10fbd6be956
AgentTesla
e81c6b84f83b9ac8233102f31e21bfeeab4ffaa5aa4c02987ce910de908a83ed
AgentTesla
efb3cc17330b519d970353a2f8da8ab9a10abbed7fb5ac099bd4ed575ba21fa5
AgentTesla
+ 7'309 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210723-lvw939fcfa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendDocument
Unpacked files
SH256 hash:
5a13cf8d662147ff8da55b36a0b05d51f8fa2a6a02b87af14b9ef8f13d22de48
MD5 hash:
a9625c8588b22ef58386952eea6a5488
SHA1 hash:
ae90fd6368893548123e4cf602f464371f04d9aa
Link:
https://www.unpac.me/results/b95e509e-4f71-4233-855b-c22ac51ef108/
SH256 hash:
51d88fbbe85f00d9dd0a137786f5c201fc38a5054fad969d114ec07330e1e22e
MD5 hash:
32168b9c3c2c70810b82b7e48fb550c8
SHA1 hash:
53cf318e36fef1591d42ccf2a3c33cd47852c5e7
Link:
https://www.unpac.me/results/b95e509e-4f71-4233-855b-c22ac51ef108/
SH256 hash:
4ac759bb7e52f2f0f4839c3d3906406d3bc81895cd90a0425590ec67e8cc09d9
MD5 hash:
59d161caba9a60785d14b3f05eb7c681
SHA1 hash:
27977c29daff707c4aa34277060135b181b42ab5
Link:
https://www.unpac.me/results/b95e509e-4f71-4233-855b-c22ac51ef108/
SH256 hash:
0c7e2ea86b0fd1398de43240daca82e38dcec78f266d76ddf5bd5ba68a721d2f
MD5 hash:
f232bc83dbea94159cc84aba926eaa6f
SHA1 hash:
f6f6cd16614c3bdb4497634eb525c04bb11cfda6
Link:
https://www.unpac.me/results/b95e509e-4f71-4233-855b-c22ac51ef108/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c7e2ea86b0fd1398de43240daca82e38dcec78f266d76ddf5bd5ba68a721d2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0c7e2ea86b0fd1398de43240daca82e38dcec78f266d76ddf5bd5ba68a721d2f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1411476/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173733/

Comments