MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a39ee4f4e2772032e1609736832971ec322b1fac47458b10d35721bdea4c31d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	7a39ee4f4e2772032e1609736832971ec322b1fac47458b10d35721bdea4c31d
SHA3-384 hash:	60734d5422e8a81db6bc10b2b3883d575a02ddd252652fdd5d011d7caa5f59bcb9642ba68af36653713c0e7f9e95f845
SHA1 hash:	b82fa37c0f10e887136b4159bdae148e44f25fd1
MD5 hash:	42c8a2ef6ceb995ba824c1571f695ffe
humanhash:	wyoming-monkey-whiskey-william
File name:	payslip.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	582'656 bytes
First seen:	2021-08-05 11:40:10 UTC
Last seen:	2021-08-05 13:23:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ECRshqSvWzyIReAShJtuyz5VPZbxzSI5:ECszaxYJ37Ztea
Threatray	139 similar samples on MalwareBazaar
TLSH	T17CC4DF417148C1D1DA890A73E423EFF824852ECBD6AD449F6B9AFF5839B27D0D41EA0D
dhash icon	d8d0a9ada59cc080 (4 x AgentTesla, 4 x RedLineStealer, 2 x Formbook)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/176630/

Detection(s):

SecuriteInfo.com.Variant.Bulz.546714.19564.21494.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66d6f5d0-8236-4a44-bd3c-ebfe26c05d45

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/827702

Signature

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7a39ee4f4e2772032e1609736832971ec322b1fac47458b10d35721bdea4c31d/

Threat name:

Win32.Trojan.Bulz

Status:

Malicious

First seen:

2021-08-05 06:02:43 UTC

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pi464t2oe5zaglqwbfzwqmuxd3bsfmp2yr2frmingvzbxxveymoq._file

Verdict:

unknown

AgentTesla

0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901

AgentTesla

41576a4ea5b8e1d0c9a1ca017e2a5265c1d7ae9e32f2327871e8f9acc6219fa3

AgentTesla

5c627ab23daa708e73eae534919c3f6494331df0dca30ab67047e0ec65182495

AgentTesla

6ab28a843d5ad26feee60448dfbbb5ddba73da6d5dc5a6a6fb9c0129bc7e3bf6

AgentTesla

71d0b7098599a1499e71ecfb828eef37868f31e4bc0e64d1249b90bd4404c5da

AgentTesla

736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3

AgentTesla

d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4

AgentTesla

+ 129 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210805-1f8pd324za/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

9ec59f19a9d0674d1a1b59cd827862f9f9ebedd644314e2866bb553ea6e45cc3

MD5 hash:

6334c6e9672abc63848739d058d123e7

SHA1 hash:

02b9f98148c84dea3e27d92dbc2a854331370a39

Link:

https://www.unpac.me/results/7fd744b2-a3be-43c0-add4-f3bc4335239d/

SH256 hash:

0084a650cc980946e3c074ffacbd2dda7790963a6f63a461be6e1917492ce53a

MD5 hash:

84cef14e10dd889178986bf53ccecf41

SHA1 hash:

3ac3c718c700edd0bbfb19e9ef9de14b3b87ef77

Link:

https://www.unpac.me/results/7fd744b2-a3be-43c0-add4-f3bc4335239d/

SH256 hash:

a528b8bf99a8c843dcad9c4d3a01736eb333b8007515dd058a407e47dfbe014e

MD5 hash:

39700aa612fe98293db982be029457c0

SHA1 hash:

e18bcc6abffd52f229f4a93cdf3adb74a6286c92

Link:

https://www.unpac.me/results/7fd744b2-a3be-43c0-add4-f3bc4335239d/

SH256 hash:

7a39ee4f4e2772032e1609736832971ec322b1fac47458b10d35721bdea4c31d

MD5 hash:

42c8a2ef6ceb995ba824c1571f695ffe

SHA1 hash:

b82fa37c0f10e887136b4159bdae148e44f25fd1

Link:

https://www.unpac.me/results/7fd744b2-a3be-43c0-add4-f3bc4335239d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a39ee4f4e2772032e1609736832971ec322b1fac47458b10d35721bdea4c31d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/176630/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample