MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7357f5952f266bf7f39bf4d0c1779eaa12c2b0e11f6a78e232946eaf533a7e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7357f5952f266bf7f39bf4d0c1779eaa12c2b0e11f6a78e232946eaf533a7e35
SHA3-384 hash: bd07b705b49aa79fead1626d916606256a1e00d90f12714e821490f2d609a3ca50a5a549db3d03d09c3adff4582e99cc
SHA1 hash: 2f0272c56b838b23421e02be2aa75e6b66fbb45c
MD5 hash: 46a74a09df2408bda7a361deeda76612
humanhash: speaker-solar-jupiter-finch
File name:Order2436.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'279'488 bytes
First seen:2023-08-17 08:28:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:u8RJgb4Q4wcfu0Do8AxLYcSKIxW0pEPVl+hSW7SJMLi7fh1TwF0rO/D0l2twGwMD:lJgb4QMu00dWHWjCR+JTLhFC/glDR
Threatray 946 similar samples on MalwareBazaar
TLSH T13645D006B6F46172DD04D635C6E65A1082A7DE99A7E2C24A348C779E0F323FD8F136C6
TrID 58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.4% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 7068ccb0b2b2b2f8 (129 x AgentTesla, 54 x SnakeKeylogger, 28 x AveMariaRAT)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Order2436.exe
Verdict:
Malicious activity
Analysis date:
2023-08-17 08:30:41 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/0627c16b-1309-4998-b371-778601ba80ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443162/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7357f5952f266bf7f39bf4d0c1779eaa12c2b0e11f6a78e232946eaf533a7e35
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da1fc351-9436-4056-8b9e-d8ab7f97b5c0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292641
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1292641 Sample: Order2436.exe Startdate: 17/08/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected AgentTesla 2->58 60 7 other signatures 2->60 7 Order2436.exe 1 6 2->7         started        11 Evlnqofavb.exe 5 2->11         started        13 Evlnqofavb.exe 6 2->13         started        process3 file4 52 C:\Users\user\AppData\...vlnqofavb.exe, PE32 7->52 dropped 62 Writes to foreign memory regions 7->62 64 Injects a PE file into a foreign processes 7->64 15 AppLaunch.exe 2 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 7->20         started        22 AppLaunch.exe 11->22         started        24 cmd.exe 11->24         started        26 cmd.exe 11->26         started        66 Multi AV Scanner detection for dropped file 13->66 68 Machine Learning detection for dropped file 13->68 28 AppLaunch.exe 13->28         started        30 cmd.exe 13->30         started        32 cmd.exe 13->32         started        signatures5 process6 signatures7 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->70 72 Tries to steal Mail credentials (via file / registry access) 15->72 74 Installs a global keyboard hook 15->74 76 Uses ipconfig to lookup or modify the Windows network settings 18->76 34 conhost.exe 18->34         started        36 ipconfig.exe 1 18->36         started        38 conhost.exe 20->38         started        40 ipconfig.exe 1 20->40         started        78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 46 2 other processes 24->46 48 2 other processes 26->48 42 conhost.exe 30->42         started        44 ipconfig.exe 30->44         started        50 2 other processes 32->50 process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7357f5952f266bf7f39bf4d0c1779eaa12c2b0e11f6a78e232946eaf533a7e35/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-16 02:14:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=onl7lfjpezv7p4436timc546vijmfmhbd5vhryrssrxk6uz2py2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0274434e5edf49805ad6de74a9931ab6cd5b96868d59ed91d4f6ff23a56aa3bc
AgentTesla
10c3ade35a4335bd3c404789a75cc98b4b28a12468db7f8fd6e94d468e0bad7e
AgentTesla
1f2d3d8890dd9e64645db50eeb14ff707f855defcfdd55eb5fe49f409373ca56
AgentTesla
44828584c1957e1e8ed8b43fd4102c392bc70a33605f3f3dafbaa8635ba0c2bd
AgentTesla
49d4472a338ca137c33aeed9eb7fc2a61ec2e095c059bb9f777358e900e4037e
AgentTesla
d573dcc5c3777f6c1b89727f678198a840c7e299d9d48ab5989adff5dc24ba24
AgentTesla
d937b12e3eb1af2267ec3056f84a62d66f620273a068820b9c650b42391365ab
AgentTesla
fd0b5471a1c071d85663c79307a63dd66b9e67eafcb18c47601e932ef54b40bb
AgentTesla
+ 936 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230817-kdj9rsab3v/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla
Unpacked files
SH256 hash:
7357f5952f266bf7f39bf4d0c1779eaa12c2b0e11f6a78e232946eaf533a7e35
MD5 hash:
46a74a09df2408bda7a361deeda76612
SHA1 hash:
2f0272c56b838b23421e02be2aa75e6b66fbb45c
Link:
https://www.unpac.me/results/502167b7-c533-4d49-9142-98cc16839c10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/7357f5952f266bf7f39bf4d0c1779eaa12c2b0e11f6a78e232946eaf533a7e35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 166d2f36dbcdf24ca8f1dd1da4ce867bde70b88f623e65849c11b77346d44b37

AgentTesla

Executable exe 7357f5952f266bf7f39bf4d0c1779eaa12c2b0e11f6a78e232946eaf533a7e35

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 166d2f36dbcdf24ca8f1dd1da4ce867bde70b88f623e65849c11b77346d44b37
Cape
Cape
https://www.capesandbox.com/analysis/443162/
  
Dropped by
MD5 157746de56c5c2a5a7c358e7e6d83fe0

Comments