MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7959429fb1fa4b3ff3f628eae0fe1efd7d373eb42f6c6ef1e68b5fb4a6d9d67e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7959429fb1fa4b3ff3f628eae0fe1efd7d373eb42f6c6ef1e68b5fb4a6d9d67e
SHA3-384 hash: 5d6fc04756dcac0d5c2295641ecddc850eac91d569a9eaf332d32637a6cd74045b3e547fd7e01042f16b9b548ee615e8
SHA1 hash: 4aa16f12e436ab97eb709c99cfde21da48e7067f
MD5 hash: 0d1b796144a61a40194f58ac4089b82e
humanhash: seven-edward-burger-fruit
File name:T20009002.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:385'089 bytes
First seen:2021-07-15 05:46:33 UTC
Last seen:2021-07-15 06:44:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:tqjIyJLxIrgObLrt0vnep+eqO7M5MF2LoJeE9r:E1MgiL50/417SMkLoLr
Threatray 6'831 similar samples on MalwareBazaar
TLSH T19484E01971B0E926DBE0717D8FA6D53543A1AC4C584B464F33E4BEAB39FD183220A7E1
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
T20009002.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-15 05:49:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3baffd54-f1a6-4f1f-b7e9-a13af3581f3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171862/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.20641.5671.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/892aeef1-0f33-44ca-97bd-2efef567b7ec
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816667
Signature
.NET source code contains very large array initializations
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7959429fb1fa4b3ff3f628eae0fe1efd7d373eb42f6c6ef1e68b5fb4a6d9d67e/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 03:44:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfmufh5r7jft747wfdvob7q67v6topvuf5wg54pgrnp3jjwz2z7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
113a77824329e62d8a2268075f4e8afa9756a9e134d46e87a61618d7b426b9af
AgentTesla
14e48e373fee4fafef99517fba97e5ea5727f764a0b92509b307f9387679dd64
AgentTesla
6b6a6cb45c75ffda98874ecb88f2fbc1ec1737222116967459117d6d8d36ecc9
AgentTesla
96194db9a638f9fb759935840a3e757bea5154eeef294583ca305cf3de8de0c3
AgentTesla
acc4f3dec5d471c28db29b9e7877fa419d157ebaa44b51039fbae33d6e33ca02
AgentTesla
bfdc55f5182638dff835b341613a95d335fea510ad5c322d51e6acaf30cba6cb
AgentTesla
dbb9ba65aab3b8469769a5c442bc0f28b0ff6fe4a8f64bad2f15fee855575bcc
AgentTesla
e4649c6b74b9494074c6020ba5e73d1253ed1929146135f4e9dbc48da6ace470
AgentTesla
+ 6'821 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210715-gs7dvs69js/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
dbebd2091cae9340ceca742444db410faf457d980256edce10eb690413d6c445
MD5 hash:
0e2fff7c3cff53c4e747f2ff7c3f5905
SHA1 hash:
de27aed609f19aa66c255d6cb3f92ca134b81de0
Link:
https://www.unpac.me/results/34fa5355-bd2b-47ac-bacc-7e7a7c1298ea/
SH256 hash:
abdf8f955302ee8fd46314a999887f028701dff252d4a2d541fe0e374e02b76e
MD5 hash:
819a46c5a558cd8e0f6704fa0246d634
SHA1 hash:
54cb830c7f7dad899e3cf6d00f12e7d1f2cacae3
Link:
https://www.unpac.me/results/34fa5355-bd2b-47ac-bacc-7e7a7c1298ea/
SH256 hash:
e8ed8965174e33f492fe562619603f67112c91a6584b1786f609d842ddea46e6
MD5 hash:
54a3ce52d82269494d5e2a575d49ee53
SHA1 hash:
a01b1f966634d5bb21d76eee0d16fda387982eb1
Link:
https://www.unpac.me/results/34fa5355-bd2b-47ac-bacc-7e7a7c1298ea/
SH256 hash:
7959429fb1fa4b3ff3f628eae0fe1efd7d373eb42f6c6ef1e68b5fb4a6d9d67e
MD5 hash:
0d1b796144a61a40194f58ac4089b82e
SHA1 hash:
4aa16f12e436ab97eb709c99cfde21da48e7067f
Link:
https://www.unpac.me/results/34fa5355-bd2b-47ac-bacc-7e7a7c1298ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7959429fb1fa4b3ff3f628eae0fe1efd7d373eb42f6c6ef1e68b5fb4a6d9d67e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 77270d353b8a6cafeafa79d7ed10d460c9c546b54e9fd75084426b897b1288f0

AgentTesla

Executable exe 7959429fb1fa4b3ff3f628eae0fe1efd7d373eb42f6c6ef1e68b5fb4a6d9d67e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 77270d353b8a6cafeafa79d7ed10d460c9c546b54e9fd75084426b897b1288f0
Cape
Cape
https://www.capesandbox.com/analysis/171862/

Comments