MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7866b3d9b7202921f2cf5dd641cc6435f9408cbb52fbec9d8110bd14084d603b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7866b3d9b7202921f2cf5dd641cc6435f9408cbb52fbec9d8110bd14084d603b
SHA3-384 hash: b0199c60e2c432e97ba40c351f29a6b9b26d14835df0ce8b672b9a682fd9cacb49a107b6c333fd38b0534c7d361bbef9
SHA1 hash: 63b72a38477597a642337a2239bf3781e166dd5b
MD5 hash: eeea96658f814be6ee3f6fa84299f577
humanhash: venus-jig-green-chicken
File name:OUTSTANDING PAYMENT,PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:823'808 bytes
First seen:2021-03-30 06:23:43 UTC
Last seen:2021-03-30 06:58:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:nhAnvyx6yQOpkrgCVTbaakxaM9qBxaM9qELAj1sVowwJIN6jduhf/B:unQKHTsxF9SxF9TboBJq6jdq
Threatray 3'562 similar samples on MalwareBazaar
TLSH 1105F13127655B91CABE87799136105053FAE457E302EB7EBDB920CD0C62FC98B72623
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [103.156.90.104]
Sending IP: 103.156.90.104
From: salesrep0002@hotmail.com
Subject: OUTSTANDING PAYMENTS.
Attachment: OUTSTANDING PAYMENT,PDF.gz (contains "OUTSTANDING PAYMENT,PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OUTSTANDING PAYMENT,PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-30 06:27:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5749f6fd-f2eb-45dc-8192-09f5cd4d66a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127897/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.12922.2433.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ba7be2d-83a5-4668-8129-376bde1344b0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658003
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7866b3d9b7202921f2cf5dd641cc6435f9408cbb52fbec9d8110bd14084d603b/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-30 06:24:08 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbtlhwnxeausd4wplxledtdegx4ubdf3kl56zhmbcc6riccnma5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1f57778e5448ce6d8834f523299fc5ba868636556c993a4b5f3faabacb36c993
AgentTesla
5ac5eee21d5a32eb57d80ff83da21265c7d11c525f6b57ed124a266ce04fee54
AgentTesla
5c8ba975c1ec2a2fe0c98e5e1cd0ba61b415ba7667f5a7c95ad383abe4ba92a2
AgentTesla
6078aa4d21b0cc37bde56d75ab91ea98248d19d21981492c648d40a284b74f1d
AgentTesla
80622d6bf536ca1e21f411864d3c4af7f4ebded98ea3aeeb6c99b964b247e3ca
AgentTesla
a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd
AgentTesla
b5ec0adc9736aadca40963ac6fc706c761fcb9dcdc311d7547f52f1614ecc2ed
AgentTesla
bd4f9c3b773d0d0b385d03313943d7dadf1475cbacecfdcc91bb65e993cfdf1e
AgentTesla
de9d415f8380055c8fc1a2239b7e1e85f29f0f1ba780c7bb2b9e2921dad93123
AgentTesla
e290a382d4dd65d349efa235b0c6b7a9f488eaa69b319d4b3a148823a00c9d07
AgentTesla
+ 3'552 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210330-yxd7wayef2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1745818390:AAGO_BZASIE0nikjN2fidl-i_pFNsM6KmzY/sendDocument
Unpacked files
SH256 hash:
7866b3d9b7202921f2cf5dd641cc6435f9408cbb52fbec9d8110bd14084d603b
MD5 hash:
eeea96658f814be6ee3f6fa84299f577
SHA1 hash:
63b72a38477597a642337a2239bf3781e166dd5b
Link:
https://www.unpac.me/results/e3dd827c-8926-4d33-a39f-9a580aa48379/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/7866b3d9b7202921f2cf5dd641cc6435f9408cbb52fbec9d8110bd14084d603b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 8e570c209cf850474efffca94eb1c96bdb3acb819683aedd4fe7f9877e537881

AgentTesla

Executable exe 7866b3d9b7202921f2cf5dd641cc6435f9408cbb52fbec9d8110bd14084d603b

(this sample)

  
Dropped by
MD5 2dea92e5234e56d5445ef16922eb8df6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127897/
  
Dropped by
SHA256 8e570c209cf850474efffca94eb1c96bdb3acb819683aedd4fe7f9877e537881

Comments