MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7947ae152bc8cf3fc63e4ea5c49e8763f9a3bc585b7234a578f039c45e10f594. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7947ae152bc8cf3fc63e4ea5c49e8763f9a3bc585b7234a578f039c45e10f594
SHA3-384 hash: a6806ac9f33cd2613b19f7d0d7fa9b687aef924f4ce6cb353259dff069f84a68a667d46f7d4768911fb2a09a1ad23277
SHA1 hash: 53f8fd64067f92b43b9b343d12feb24ee4d6d4e2
MD5 hash: 96ceea91410d1fa10c13a1328db84e58
humanhash: music-pasta-apart-harry
File name:Inquiry #19117030P.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:849'408 bytes
First seen:2021-02-09 11:40:37 UTC
Last seen:2021-02-09 14:17:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:XvBQSnZl+lZbAy/TYTXSicTnsoRQhT1xdwgKN6hY/syvxQ1kRBGcaiQQR6Pcvn2F:Xv18bHTcXSiQsouhT2P+Y/5xQC2cP
Threatray 2'644 similar samples on MalwareBazaar
TLSH 5E059C92B2754747EFA5B7F11C30468112F1EC2AE635C18DB9C4B3BDEB35AA3821D252
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry #19117030P.exe
Verdict:
Malicious activity
Analysis date:
2021-02-09 11:41:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4d151b1d-687b-4f8e-9ece-b03e89f431c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116168/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.535.26030.14716.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602876
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7947ae152bc8cf3fc63e4ea5c49e8763f9a3bc585b7234a578f039c45e10f594/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 21:38:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfd24fjlzdht7rr6j2s4jhuhmp42hpcylnzdjjly6a44ixqq6wka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0acddf5a75ecbc1da6ed26230c0adcd7a8cd31a95a0992cf2b5712355374012d
AgentTesla
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51
AgentTesla
3cd1e0124a1fd0d922c432d01e909479692e7133dc1b33b739e7b9701b03444d
AgentTesla
6edf2cd35efb889cf95bf9d63662f32f977b677ea486bde77cf2315a0c16552b
AgentTesla
a21e38f8f6be5ca6ad235835b89f774e142683615b5bec677d3cf49fe78c2f16
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
+ 2'634 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
ransomware
Link:
https://tria.ge/reports/210209-56qwf89fsa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
387a8de87b4a9569510d8a8f82f2e6dfba20330f91cc36b9a5dbf75422b58862
MD5 hash:
6f817a06db27a37a6e079c3a805a7ccc
SHA1 hash:
f3b18667e62059651083986089af75c246aa82d6
Link:
https://www.unpac.me/results/e2de60a3-18c0-4854-8bb7-ea18b68f1334/
SH256 hash:
f9ccac178eaff3ec4d57428792443ba6187b2ad1b61d21a3b6ac15f1cece7693
MD5 hash:
02d66c2c78cc81711eef2cfb86436095
SHA1 hash:
cbdf390c7046c7a076175d5f6a3f7142c527c648
Link:
https://www.unpac.me/results/e2de60a3-18c0-4854-8bb7-ea18b68f1334/
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/e2de60a3-18c0-4854-8bb7-ea18b68f1334/
SH256 hash:
7947ae152bc8cf3fc63e4ea5c49e8763f9a3bc585b7234a578f039c45e10f594
MD5 hash:
96ceea91410d1fa10c13a1328db84e58
SHA1 hash:
53f8fd64067f92b43b9b343d12feb24ee4d6d4e2
Link:
https://www.unpac.me/results/e2de60a3-18c0-4854-8bb7-ea18b68f1334/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7947ae152bc8cf3fc63e4ea5c49e8763f9a3bc585b7234a578f039c45e10f594

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a715303c2cab56dfddfec0cbaff73e1fd279afe0b10cb24b2fee22f855245b1f

AgentTesla

Executable exe 7947ae152bc8cf3fc63e4ea5c49e8763f9a3bc585b7234a578f039c45e10f594

(this sample)

  
Dropped by
MD5 2b8b5e8d194806517aa1b69eea0d07e7
  
Dropped by
SHA256 a715303c2cab56dfddfec0cbaff73e1fd279afe0b10cb24b2fee22f855245b1f
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116168/

Comments