MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4276cf8a443df10dc04df711a45770683b836758173576c9b483806ae1cca0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4276cf8a443df10dc04df711a45770683b836758173576c9b483806ae1cca0
SHA3-384 hash: 4beebef2909f301138742a423c268c1f4dfe900e796bd261ab06267b3bf0b58fb07237e23027d10875d00ec55afcf12f
SHA1 hash: 8562dcf66e179d2ddd4050c495ad67192a4d0216
MD5 hash: 8b9f0c9f933286f5261af391fb792d8f
humanhash: march-uncle-robin-network
File name:Payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:486'400 bytes
First seen:2021-09-24 07:55:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GGEWhNY1GNw13ikNesg9pgFTSB7F4riRqCWszr:1eAN4nNezfgFTq4r2Ws
Threatray 10'214 similar samples on MalwareBazaar
TLSH T127A4E04192DCCF5FE3286A749925A950C563D3ED21A3EE4ADD6944723EEA20CF710EC3
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 07:58:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c190639-ee2f-485e-bef9-308f2a453b91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191086/
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc53a598-8ed6-40c5-92e5-31bbf9616a5c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857169
Signature
.NET source code contains potential unpacker
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489600 Sample: Payment.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 34 mail.dynamicexpress.co.za 2->34 36 Found malware configuration 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 8 other signatures 2->42 8 Payment.exe 7 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Roaming\ivRaay.exe, PE32 8->24 dropped 26 C:\Users\user\...\ivRaay.exe:Zone.Identifier, ASCII 8->26 dropped 28 C:\Users\user\AppData\Local\...\tmpF87D.tmp, XML 8->28 dropped 30 C:\Users\user\AppData\...\Payment.exe.log, ASCII 8->30 dropped 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 8->48 50 Injects a PE file into a foreign processes 8->50 12 Payment.exe 2 8->12         started        16 schtasks.exe 1 8->16         started        18 Payment.exe 8->18         started        20 Payment.exe 8->20         started        signatures6 process7 file8 32 C:\Windows\System32\drivers\etc\hosts, ASCII 12->32 dropped 52 Tries to harvest and steal ftp login credentials 12->52 54 Modifies the hosts file 12->54 22 conhost.exe 16->22         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7a4276cf8a443df10dc04df711a45770683b836758173576c9b483806ae1cca0/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 06:11:35 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjbhnt4kiq67cdoajx3rdjcxobudxa3hlaltk5wjwsbya2xbzsqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
23a9e7088b57d3f862728c20d419a0781cf99dbef14a4b52d1fbd9c3026c9a9c
AgentTesla
2e8f1d1e22c5a36b95634aafb27418f9d1fd9000ec81e859f327588a70d402b1
AgentTesla
43a36a9238ceb8ddb0ae520ed70c354a0bba4e4eac633479fac1936c62017ad4
AgentTesla
46fd2d00e7004568cf02ed133df56b11e403275d6a6dc7ba009f0b6b11f054bd
AgentTesla
9749a1b2802d673fab08d09fc9278643f66b890d975af6c34512ad8eddb23fbb
AgentTesla
9b74da4636f307d83f8d087148712da7bd067b9c7bc78a8304ca59117fda3a3f
AgentTesla
b00f9dae9cce74b9c7f5b423fbcfe66e6d23db9741e172a2abdcc347ba9abd28
AgentTesla
dbab006dbc87657b92920f2cf8aacaa990838af10c55262c5a18d12c8f16f45d
AgentTesla
e69bdeeafc821d1e337a126741196fce57672efe1e1992be11a6ba09a088a6f0
AgentTesla
+ 10'204 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210924-jspblagcfk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
74b796245fd278d7702612d341cd9d7a6a2c86d0d130fd41df3b36c91089ea5c
MD5 hash:
5d02fcf2ded2882ef3f6593b85209f00
SHA1 hash:
ee54f15652dce3374d0df26d416a5a4ec9c0dae3
Link:
https://www.unpac.me/results/3c685f71-708b-4fc1-a3be-cb096f77ee94/
SH256 hash:
aefd07074aa4af5ae67b6e473496c69b414d57a3a57345c201cba5dfd5466b79
MD5 hash:
ed6b703faef1b65ce821a0062da9b63e
SHA1 hash:
edba7a542cc7b3f71df837a149f51316056a817f
Link:
https://www.unpac.me/results/3c685f71-708b-4fc1-a3be-cb096f77ee94/
SH256 hash:
72cce90bbc7634639c3078a97393703c804d8d655d6e8f03bbee63b9154885e8
MD5 hash:
bff7bdfddcd4a718c1e53408c316c629
SHA1 hash:
8bf8b204969cee9304b0011113a9b80dc74b783c
Link:
https://www.unpac.me/results/3c685f71-708b-4fc1-a3be-cb096f77ee94/
SH256 hash:
ea9b047596eecbb8d291ac6ee7bc17273b12bdabdea99352ce890e661c05e19c
MD5 hash:
d8339e12dc9f3098151c304e2402dce4
SHA1 hash:
3a92a07c11be4aba8efee8466cfc058ea559b8f8
Link:
https://www.unpac.me/results/3c685f71-708b-4fc1-a3be-cb096f77ee94/
SH256 hash:
7a4276cf8a443df10dc04df711a45770683b836758173576c9b483806ae1cca0
MD5 hash:
8b9f0c9f933286f5261af391fb792d8f
SHA1 hash:
8562dcf66e179d2ddd4050c495ad67192a4d0216
Link:
https://www.unpac.me/results/3c685f71-708b-4fc1-a3be-cb096f77ee94/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7a4276cf8a44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a4276cf8a443df10dc04df711a45770683b836758173576c9b483806ae1cca0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7a4276cf8a443df10dc04df711a45770683b836758173576c9b483806ae1cca0

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/191086/

Comments