MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76f10c642d9be6759a4a1b94cba83708597d60a9a7dbb05bd8db971e75545d06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76f10c642d9be6759a4a1b94cba83708597d60a9a7dbb05bd8db971e75545d06
SHA3-384 hash: c1fbed787db47b60a992a10722fb500c1e2080627f0db92e7db4b362b36d8edc5abd3074a953f690286f5a6690542aaf
SHA1 hash: 0953c52007c15dfce4f969a1f00112c126784654
MD5 hash: 363ae44357f10709698686a3ac11a2ca
humanhash: skylark-alaska-lion-virginia
File name:payment reciept.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:277'504 bytes
First seen:2021-09-03 13:40:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aa2b72693aae6a6c6f24564ac3d32728 (4 x Formbook, 2 x RemcosRAT, 2 x AgentTesla)
ssdeep 6144:cQEfD/i1lkemVTtuASZNaEz2pjoLlhGiHVe:ymetufNhLb3e
Threatray 9'450 similar samples on MalwareBazaar
TLSH T1ED44B761F385E45AE44208797829DF711066793468B8C40FB7CA7B1B29F33D7A42AF0B
dhash icon e8ccae8c36e2d8e0 (27 x AgentTesla, 1 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
384
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment reciept.exe
Verdict:
No threats detected
Analysis date:
2021-09-03 13:44:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76aec898-beb9-4c0b-bef0-7f729d471802

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185203/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a system process
Malware family:
Dimnie
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97714613-eff7-491b-a50a-2079135bacf7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844868
Signature
Antivirus / Scanner detection for submitted sample
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76f10c642d9be6759a4a1b94cba83708597d60a9a7dbb05bd8db971e75545d06/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 12:49:25 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3yqyzbntpthlgskdokmxkbxbbmx2yfju7n3aw6y3olr45kuluda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
29a8a708880ca187202112de47bed915bf9fd0e64cab0d08a839b7ede6c16506
AgentTesla
33522f78827572158bd59c33cb91a6db68eeb48e3690d105a787ea9cb7b8c54c
AgentTesla
3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed
AgentTesla
581543b7144f7ba606b44119ee7607c70f01920ec0d10084a9ff9106c6753519
AgentTesla
6fb6f5ecd2114e2e4b922372ad82e00e65b3a9d45b5fb3e4a86dde0f25ad902e
AgentTesla
8749c16cb8cc3999e4db4fa619da8d90fcdee57c7c99479e96e5eb3427a427a0
AgentTesla
b528aab1cf14c985fecd7f6f2fd0a31101cd952abedbd10cf7357708057d91b9
AgentTesla
c2bf77c7740f8cae2b71502eb3945e92587441a29fa72127bc531b959de100e3
AgentTesla
+ 9'440 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210903-qyjrmagdgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument
Unpacked files
SH256 hash:
76f10c642d9be6759a4a1b94cba83708597d60a9a7dbb05bd8db971e75545d06
MD5 hash:
363ae44357f10709698686a3ac11a2ca
SHA1 hash:
0953c52007c15dfce4f969a1f00112c126784654
Link:
https://www.unpac.me/results/120f4e6e-dfe4-487f-82b7-e35db0334791/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/76f10c642d9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76f10c642d9be6759a4a1b94cba83708597d60a9a7dbb05bd8db971e75545d06

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 76f10c642d9be6759a4a1b94cba83708597d60a9a7dbb05bd8db971e75545d06

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/185203/

Comments