MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7329530a28c60633cb144dbf8b44268b2695438c22595d11a600e25019c042e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7329530a28c60633cb144dbf8b44268b2695438c22595d11a600e25019c042e1
SHA3-384 hash: 692b8357ac92a39f7037333ec49e62f62628e4514715e2a68e09196ed589f63f193b0a8a3249918715f0686b661c6424
SHA1 hash: 40b11a9ccda200d1df55ea14f0ec1d22c77d503e
MD5 hash: b78b511a1b6fcd24bd7fa2110616f470
humanhash: table-freddie-football-jupiter
File name:Request for Quotation PKLMNL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:809'472 bytes
First seen:2023-02-07 14:22:52 UTC
Last seen:2023-02-07 15:46:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:W/+qk2KkOT4AraoeB2YIuyimus2I/0yIHjKA3hEiwiPN57awHRr/CB06KuLp4bDw:WRk2KcArWBXK2I/0hHa9657awxO5d4Z
Threatray 23'198 similar samples on MalwareBazaar
TLSH T1E605131D1FFEEB21D5685BB994302860077AAC26B223F31D1ED571E73E377209902A97
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation PKLMNL.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 14:24:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/99d1b016-0506-42cb-a40c-728a6bf1dd68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361385/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1822.27215.3733.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e25ec7447edb203a0313a2/reports/3b509f8c-0745-4460-b853-9eeec54cec3e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7329530a28c60633cb144dbf8b44268b2695438c22595d11a600e25019c042e1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07127501-a01f-4cf3-9366-6f4a07566f21
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167727
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7329530a28c60633cb144dbf8b44268b2695438c22595d11a600e25019c042e1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 12:49:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omuvgcriyyddhsyujw7ywrbgrmtjkq4mejmv2engadrfagoailqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01b0e10d7351007133aa2a5f1cef379b855706256fb70f327990ea142df772ad
AgentTesla
41857a1bfb1cda7337d39a4c6bcec253fb44532179f9cb12e919608f227e3dcb
AgentTesla
596335a72eac53fb62a52fc1671472c15055323287bc6e7c675f99d31562710f
AgentTesla
5d2e8a87688e3f312d3df9f4fab26b5646e9837704f816f2271e7d28e4f3d412
AgentTesla
77a9e6a12d18f811e2b4852add5a1a423202396a6d21285a4d6e6acd4d3f1a47
AgentTesla
8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95
AgentTesla
affcc95b61bb0461fcd218472be113a32059cc9abef6cb88aecaaf6577634239
AgentTesla
ce5c147f75c354710869fde43cdc99afb90de8f43d5a0a58cd7456ade759b110
AgentTesla
f14871b3c4416a897aa8526ec0d5cf04f2b5fec3d2f11f46d76f7705295b45e5
AgentTesla
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
AgentTesla
+ 23'188 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-rp47msfd3t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/c5632bea-ba57-45e7-85dd-426e1cf44009/
SH256 hash:
d2052306ea39ad4588e3420936a27b16e6763e4a7709b6a214c3eb99eb3f4f17
MD5 hash:
35ffcbaecbbc360f742aa5d2c17265b3
SHA1 hash:
e771101ba55bec0951ddfda84973a1bd6e1f8976
Link:
https://www.unpac.me/results/c5632bea-ba57-45e7-85dd-426e1cf44009/
SH256 hash:
51a714188212bffb885eae4b90168eefc79d75244c4ac417a3a2c55640dac62d
MD5 hash:
595059f457d9b744083ccf1f85cc0819
SHA1 hash:
6f1b50488df2ec1480e2fab4521e01ac100a8b63
Link:
https://www.unpac.me/results/c5632bea-ba57-45e7-85dd-426e1cf44009/
SH256 hash:
9fe9d37e3142efe4fc0745119616dcad9616aac0989b16b92cb78d5cd5350d4d
MD5 hash:
b93ecc25856d55ef25cbd68b87f2fa6d
SHA1 hash:
6d491d31ad4db71e476efa7087db206d3c7fd95f
Link:
https://www.unpac.me/results/c5632bea-ba57-45e7-85dd-426e1cf44009/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/c5632bea-ba57-45e7-85dd-426e1cf44009/
SH256 hash:
7329530a28c60633cb144dbf8b44268b2695438c22595d11a600e25019c042e1
MD5 hash:
b78b511a1b6fcd24bd7fa2110616f470
SHA1 hash:
40b11a9ccda200d1df55ea14f0ec1d22c77d503e
Link:
https://www.unpac.me/results/c5632bea-ba57-45e7-85dd-426e1cf44009/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7329530a28c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/7329530a28c60633cb144dbf8b44268b2695438c22595d11a600e25019c042e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/361385/

Comments