MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2
SHA3-384 hash: a33ea0f7557d47175600797017c69e44f79df37dd503be63c3bf30c9f19b3d1d312b5879fead2280eab17ff5c2b66eb3
SHA1 hash: a5ef6883a7aa91d67bf0ec394435bcc9759464d5
MD5 hash: 97272c6488df927aa5d6f88671c2dccf
humanhash: blossom-kitten-freddie-lactose
File name:MIUSQgLBmbpSjg5.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:673'792 bytes
First seen:2022-12-13 07:33:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RaM9TRw+y6xbgBH1+AofO5YbeSleLINU0CYASsvgwnpray:5Rw+yibgBH1+A95YbeSsL9jpW
Threatray 24'418 similar samples on MalwareBazaar
TLSH T15EE4125F2AC835C6CFB099FAC00A524A11B1E9963103C3BD8CD7F439C9653DD664EAA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 303edcda9adc3e30 (15 x AgentTesla, 7 x Formbook, 5 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
MIUSQgLBmbpSjg5.exe
Verdict:
Malicious activity
Analysis date:
2022-12-13 07:36:42 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/39f54328-05de-42c3-bf57-7802aef89483

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345753/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.11765.18521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63982aed9a505ad9423f70a6/reports/803f72a1-47e5-4221-b0b2-d5786152cb84/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1d06341-c8b7-4c6e-aef7-dddf5edbf907
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133237
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 07:34:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pi57kbq5aeziwsvwpyunzrl2xkzhpa5x5skpimwoqe3w4f7bi3ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2d4e9b33851949bd81869d7ce2609cb9694ca946cdc3657fd449693170878448
AgentTesla
2f1fa3784cd1f226cbcbbccbbc0c4bc067584429de021e2b4f7bcdac6cbeb05a
AgentTesla
341ff4121328104ec5db8662d94cfdfdcffd7c36bc022a8fabea180d3c19adbc
AgentTesla
4073df659d58e6b8619746e412f0649a8fc4a67da64d27e4a1dcadf797cfcc70
AgentTesla
54983544e9fd6e0423bcd9ea883e4ff1375abcdd58876d79701e9d24882500ed
AgentTesla
7a441ef4db4f0137ce67de4c76b8af5f2c98e726c39ec37ea404ada30a96a355
AgentTesla
a058e4db6871ecf56adf444c908980dbfb1a6eddc2cb2eae86d86c6df6111c30
AgentTesla
db7c98672e8f63508346396c087aa31ef5eb3b922df16cc5a53ad08749b8f230
AgentTesla
+ 24'408 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221213-jd4sqsec36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ceef1abc-9b46-4b44-92e0-f791671e4524
Unpacked files
SH256 hash:
35cad145efd0b5b6396491150d2e307d4cb5e06d4f1b41aa310393c6dce520b9
MD5 hash:
56f8354a2e307e73243ff0056295fedd
SHA1 hash:
ed3257769ea438e1b5e86c3ef033e2deca86e239
Link:
https://www.unpac.me/results/494275e9-65e8-4d0b-85ad-4bfa5d9ec4cd/
SH256 hash:
073436e5facfb01011f654c6cd311465d9dd38af871b8e22aa895eccba0a5c58
MD5 hash:
7ae4101f28d71974162228e1988af316
SHA1 hash:
c12009dcf44955fc562ea4837af042f55d1d95d4
Link:
https://www.unpac.me/results/494275e9-65e8-4d0b-85ad-4bfa5d9ec4cd/
SH256 hash:
4a26c3e256ca11b441c210ec01633954c91992c93c114c60fdf12fc7b6de83b0
MD5 hash:
730d0dc5412ff15f1c55a4841070f34c
SHA1 hash:
a025c25647ea3ce4aaa2104ca939f84308157800
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/494275e9-65e8-4d0b-85ad-4bfa5d9ec4cd/
Parent samples :
7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2
80cbe069c3ce10b39d4e842a56d7f1cc6f2a919d21aa3fa9fda5aae5ab9d5f73
SH256 hash:
a9f7f99fbcfa6dc1e221442633fef2472df5645b8fa6084350a702112cb07a1f
MD5 hash:
b3c242ae825a0da7a6c3386cdce3e88b
SHA1 hash:
70315260c97c161897432e18a752171ad8874ee2
Link:
https://www.unpac.me/results/494275e9-65e8-4d0b-85ad-4bfa5d9ec4cd/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/494275e9-65e8-4d0b-85ad-4bfa5d9ec4cd/
SH256 hash:
7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2
MD5 hash:
97272c6488df927aa5d6f88671c2dccf
SHA1 hash:
a5ef6883a7aa91d67bf0ec394435bcc9759464d5
Link:
https://www.unpac.me/results/494275e9-65e8-4d0b-85ad-4bfa5d9ec4cd/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a3bf5061d01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/345753/

Comments