MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 764bbdd65e3d06d3a808d3abeb6b6dd3b5467fba53deb1b16c3b01e5e847f1c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 764bbdd65e3d06d3a808d3abeb6b6dd3b5467fba53deb1b16c3b01e5e847f1c9
SHA3-384 hash: e8026d9ebf4f55d42f38f9b05c4f3dafaf1d7025c66ba78f1186ef142457a82d99e6f56d138dbdbf98e0f827faf4b6b7
SHA1 hash: 325b6e5e3dfd6849c4d8748be47fcf2a73a65223
MD5 hash: f657909078f41cdaadfdddf035f1f835
humanhash: timing-undress-robin-ceiling
File name:contract.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:356'864 bytes
First seen:2021-07-12 12:50:52 UTC
Last seen:2021-07-12 13:56:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:WbMw25LrSOkYcHMPee7lCZwQDX4rD6Qx/mh:Wx0fSOk987eDSROh
Threatray 6'595 similar samples on MalwareBazaar
TLSH T1F57412A42798CFA4CC2523F7A0C7E9414BB6DD6B9465E886308CB671CF733931F92649
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
contract.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-12 12:52:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ba141be-54c6-4a6e-a754-90dbb5c890c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171088/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14123.10368.2731.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38e6d7b5-0bcf-4c82-a966-c1236b90fd00
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814845
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447254 Sample: contract.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 4 other signatures 2->51 8 contract.exe 4 9 2->8         started        12 contract.exe 2 2->12         started        14 contract.exe 2->14         started        process3 file4 27 C:\Users\user\AppData\Roaming\contract.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\Local\...\contract.exe, PE32 8->29 dropped 31 C:\Users\...\contract.exe:Zone.Identifier, ASCII 8->31 dropped 33 3 other malicious files 8->33 dropped 53 Writes to foreign memory regions 8->53 55 Injects a PE file into a foreign processes 8->55 16 contract.exe 8->16         started        19 wscript.exe 1 8->19         started        21 contract.exe 2 8->21         started        57 Multi AV Scanner detection for dropped file 12->57 signatures5 process6 signatures7 35 Multi AV Scanner detection for dropped file 16->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->37 39 Machine Learning detection for dropped file 16->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->41 43 Wscript starts Powershell (via cmd or directly) 19->43 23 powershell.exe 26 19->23         started        process8 process9 25 conhost.exe 23->25         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/764bbdd65e3d06d3a808d3abeb6b6dd3b5467fba53deb1b16c3b01e5e847f1c9/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-11 01:00:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
20 of 29 (68.97%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ozf33vs6hudnhkai2ov6w23n2o2um752kppldmlmhma6l2ch6heq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04429647bba9090cd3500f585a8a5ec39891f8b8a88f4f647a67a9d35e3ed217
AgentTesla
16687d1c2945be78cbcabfb542520fc4f0a153b820aed024d8dd0032be6a7b0f
AgentTesla
3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
AgentTesla
73db8576ad079efbe1376a00f6d027d0e9aeb173f594ee7161dbd5c62f9f215d
AgentTesla
791232ba8efdbe3778e195b4a96173183e44d101af42f0b308cca758ccd4d17c
AgentTesla
86e7e9abc8ae431280935625545da1a813509462ec27d6d7ded6ef0a6b8eb43a
AgentTesla
9ca380b9e68f8aab9d08c3357ce286ce087c81c96b64923f6401dc31679b5453
AgentTesla
a792c75171ffe33735115662b89bb58635c750e2405cb30556faf96e26769c8d
AgentTesla
bbde4210ae31bc0d1a2b038dba97b9aea0a3d9ac9e0dc5a11475208b61506d9b
AgentTesla
e860f949006657d88539f009376c3b6ed3947e81ddd1dcc2253f0c27b1945806
AgentTesla
+ 6'585 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210712-abzl3xktzx/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c4d021f47a399f85c3e9ed68e5e88f34ff42d2828cd4fdf353bc8ccb454cc36d
MD5 hash:
4e065511e7e209185de35a4d92aa2bd9
SHA1 hash:
96e715964f20125842e955e211450e546b1317be
Link:
https://www.unpac.me/results/43acf4c2-16e3-4945-b926-c2fb5990b29d/
SH256 hash:
9a3c2e2ef9e30e70ebeefac878aa49621c4a6f02f83c05014f09135c141531b6
MD5 hash:
1d4de460020c1c4e86772ec944987ac5
SHA1 hash:
4e8920b0038cbb046576116f2bbb49b54a1ee991
Link:
https://www.unpac.me/results/43acf4c2-16e3-4945-b926-c2fb5990b29d/
SH256 hash:
cb0894e025534f4d9c378fb3784d3fd262c2ad7ec68b738e52800949f0117d09
MD5 hash:
0eb0321dd2c354a1186ceca88a90eb5b
SHA1 hash:
1502ffe6754e61731b7c7d11a6202f532476fa96
Link:
https://www.unpac.me/results/43acf4c2-16e3-4945-b926-c2fb5990b29d/
SH256 hash:
764bbdd65e3d06d3a808d3abeb6b6dd3b5467fba53deb1b16c3b01e5e847f1c9
MD5 hash:
f657909078f41cdaadfdddf035f1f835
SHA1 hash:
325b6e5e3dfd6849c4d8748be47fcf2a73a65223
Link:
https://www.unpac.me/results/43acf4c2-16e3-4945-b926-c2fb5990b29d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/764bbdd65e3d06d3a808d3abeb6b6dd3b5467fba53deb1b16c3b01e5e847f1c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/171088/

Comments