MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7476ebf4d5eb027b773857718b4cb26e34846a82d1d5d2dbfc06e55c31f46e93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7476ebf4d5eb027b773857718b4cb26e34846a82d1d5d2dbfc06e55c31f46e93
SHA3-384 hash: f82bc338acf8335311eb3e2af77c7b58522d83b5cb7bd28b54d369c1ade3cad208f1460483aaf11fb37d9ea7522f2551
SHA1 hash: 6fda8c5e355f2fc79020c1e90811791e9c9b10a5
MD5 hash: dbd14d47bbe2891d324637a007759ea2
humanhash: harry-king-golf-lithium
File name:hesaphareketi-01.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'094'656 bytes
First seen:2022-11-22 14:47:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:gYe7Vo2iNUsZ1DX/VDJFRodOl0nafS4+GCCOMjCPsMNj0tpbs72Mr/iTHHP7x1QV:V1ueqdOSaKpKOMjyKVHb91QLGa+h8G2
Threatray 22'820 similar samples on MalwareBazaar
TLSH T1B4357CCB2F300E84CB5F34715C8D1B8462523DA149F59CF22B75AB786D468BFA69227C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe geo Telegram TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 14:49:31 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/a3bc0518-413c-4e2e-a59f-0c72350667cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337266/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389-2.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637ce1285f223762e6ee34d6/reports/7ae0fa6e-a25c-4e18-908f-632a693f2f4b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c4561bb-b783-4238-81d2-9ad6f6504e79
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118994
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751709 Sample: hesaphareketi-01.exe Startdate: 22/11/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 9 other signatures 2->50 7 hesaphareketi-01.exe 7 2->7         started        11 pEaOXYjFKZRBeD.exe 5 2->11         started        process3 dnsIp4 32 C:\Users\user\AppData\...\pEaOXYjFKZRBeD.exe, PE32 7->32 dropped 34 C:\...\pEaOXYjFKZRBeD.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpF8A2.tmp, XML 7->36 dropped 38 C:\Users\user\...\hesaphareketi-01.exe.log, ASCII 7->38 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 7->56 62 2 other signatures 7->62 14 hesaphareketi-01.exe 15 3 7->14         started        18 powershell.exe 19 7->18         started        20 schtasks.exe 1 7->20         started        40 192.168.2.1 unknown unknown 11->40 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 pEaOXYjFKZRBeD.exe 11->22         started        24 schtasks.exe 1 11->24         started        file5 signatures6 process7 dnsIp8 42 api.telegram.org 149.154.167.220, 443, 49695, 49696 TELEGRAMRU United Kingdom 14->42 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->64 66 Tries to steal Mail credentials (via file / registry access) 22->66 68 Tries to harvest and steal ftp login credentials 22->68 70 Tries to harvest and steal browser information (history, passwords, etc) 22->70 30 conhost.exe 24->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7476ebf4d5eb027b773857718b4cb26e34846a82d1d5d2dbfc06e55c31f46e93/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 14:06:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=or3ox5gv5mbhw5zyk5yywtfsny2ii2uc2hk5fw74a3svympun2jq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011df7d1cd4ed00d5e2ee5f8627369830ca5fab184d8fae1aef3e9ee42d0e018
AgentTesla
42cb095fcf7bce147419fe87bffc91a1c0c189f731daaa819b17d371594b868f
AgentTesla
54983544e9fd6e0423bcd9ea883e4ff1375abcdd58876d79701e9d24882500ed
AgentTesla
6a3dc848c0ad77c98fce00a7de5649bdb23bce7c725c10b8cb75fa2f11c7e8df
AgentTesla
8ff7a6426f4508b86859b8cec95d060cfad399e958d08dbe749ffd372f8afaa3
AgentTesla
9b2c7ebecd82b2543c3f3a175a7fe37350277b6cb5f9481dded11e34a51ca4bd
AgentTesla
d18ceb0ff0f9457759ecc501fbf6f9e9cb3e59a4f92cd53f215a9e3b4e7c31df
AgentTesla
f8cadf28d331fb0af9d2b53cca0859948cb5ab2e5f2e447c6659f481e73c7a77
AgentTesla
+ 22'810 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221122-r6ggxabc5y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5798024834:AAGLHTcPdLDij7ehMoasiBZDz8oodefEy0E/
Unpacked files
SH256 hash:
bd297cfb4512342f874517dab33f1e84a8beba34f915b17dfb4bf2fdcea4fea8
MD5 hash:
147f73ab87f0c2762828621a906d94c0
SHA1 hash:
f321a59e75fb9ec1c6d8bb1cc79f04e48eebf374
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/6b03cf52-de5e-4a20-ae89-5e380c76f2f6/
Parent samples :
7476ebf4d5eb027b773857718b4cb26e34846a82d1d5d2dbfc06e55c31f46e93
4b9761bcf4390d621a51510551602140fa4127d33245712580bc377b872476c4
0f8bdb179425c93430b81e36a2df60903c06de31ad4b7bebf1a85db865bb2495
9e91e0ffb8cb2160f8a85438e2ca0d8beea2c41797585049e3a8446df969888b
bbc3849d4c85b83bcd8a540db347fccc742ed4f8b767a17d6d5172f71054d52b
SH256 hash:
e8240cb9ed4c388d0befe96c6d5e765936e23b3b5d0e31a9e3e78d101f20207b
MD5 hash:
77e627f9327ef44b1364e813c6526bea
SHA1 hash:
697c7f5ae9b3623f267750945e957f14cbb6196f
Link:
https://www.unpac.me/results/6b03cf52-de5e-4a20-ae89-5e380c76f2f6/
SH256 hash:
7ad9301632e0dfd2f3849bad154d8b037c488fe4add9cb523c883e7286a05e54
MD5 hash:
d471d3eaa2475c72f2e0e85412604b55
SHA1 hash:
3af3df2e8cb7cd1ed43acbcce6639c26a43647c1
Link:
https://www.unpac.me/results/6b03cf52-de5e-4a20-ae89-5e380c76f2f6/
SH256 hash:
744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f
MD5 hash:
91fed5db1afcdf48e0cd6d4058a013ba
SHA1 hash:
3717b3346e25d3f66f00626ad1a771d8655f485f
Link:
https://www.unpac.me/results/6b03cf52-de5e-4a20-ae89-5e380c76f2f6/
SH256 hash:
bc98e487bed5993b3e3a3be4d540702a0bf4c8144e77ef69d518e4687c33a9e5
MD5 hash:
3974f5769d3b304fc777fbff679f62ba
SHA1 hash:
0a038394581fc29078a75f13b2da079b8094ae6f
Link:
https://www.unpac.me/results/6b03cf52-de5e-4a20-ae89-5e380c76f2f6/
SH256 hash:
7476ebf4d5eb027b773857718b4cb26e34846a82d1d5d2dbfc06e55c31f46e93
MD5 hash:
dbd14d47bbe2891d324637a007759ea2
SHA1 hash:
6fda8c5e355f2fc79020c1e90811791e9c9b10a5
Link:
https://www.unpac.me/results/6b03cf52-de5e-4a20-ae89-5e380c76f2f6/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7476ebf4d5eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7476ebf4d5eb027b773857718b4cb26e34846a82d1d5d2dbfc06e55c31f46e93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7476ebf4d5eb027b773857718b4cb26e34846a82d1d5d2dbfc06e55c31f46e93

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/337266/

Comments