MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a524ab3c8435752dd2f42d1cd01558d10938909564b578b841f93f4727b832f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a524ab3c8435752dd2f42d1cd01558d10938909564b578b841f93f4727b832f
SHA3-384 hash: 9d3191956f264aca5ccbbe41f928bebb9e832463211ba514336e0da151ef459287bad8bd4bde0781676db0b720336a35
SHA1 hash: db395e0a2f0365c0881a370b9dcbbf33010794c7
MD5 hash: f4b433b4a8e18670bd9bdeaf49b93cb7
humanhash: hotel-lake-seven-happy
File name:Shipping Document PL&BL Draft.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'047'488 bytes
First seen:2021-04-30 13:11:35 UTC
Last seen:2021-04-30 14:21:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:HjCeAcYSHu/k0SKwvdPmndV3sgixI9oFNhCBamBuuYCfnDXi291Hk9W/3MuA6skW:DCeo6
Threatray 4'346 similar samples on MalwareBazaar
TLSH B99541289CFB80B56A68B67B856070612D03BCAA693DFAC47754033ED303651BD99F7C
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147464/
Detection(s):
SecuriteInfo.com.ArtemisF4B433B4A8E1.7725.7476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/704877
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a524ab3c8435752dd2f42d1cd01558d10938909564b578b841f93f4727b832f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 07:01:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjjevm6iinlvfxjpili42akvruijhcijkzfvpc4ed6j7i4t3qmxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0057ff00197742e22424a86c2a38a6b1074ddc27f8edcdebc6d58d7188184d6d
AgentTesla
1f487a7364066794ee06ac5c009cc9db1e7a1547857feef5e4495131a8743b78
AgentTesla
5fce6d478d0469b3d543e06e632920510999b547a6853e11102c4f011eef5722
AgentTesla
8346b4b66475749310a488fd8af9846f76269e369cba23c9e4615318fcca6aed
AgentTesla
88709c8771c0dd7318b0ef82da7f2cf56379df73f744d9381101c1badde7f6b9
AgentTesla
a35f89d4a15e31c7069b35ce61a7b8a4bf8f2c40314ac300b45f21dcf5235238
AgentTesla
b1a5300635ab3fcd5c547e1a50230d40aafded4485cc431ebdd6dd28166e9376
AgentTesla
b7d6bbc66a64baf78d4393b91e7c90f1c5400e2098875e35b903fd5e5c48e16b
AgentTesla
c4ee3e5cecf3510d88b59f4122e88f50dc99a761338dd1f8fc3eff6bfed2e005
AgentTesla
e6cff481354c9e4892bc77d443735ca5187c5b59ef0afc7b39a4059728ce2e60
AgentTesla
+ 4'336 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210430-lggz128yln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
76b3e2256368a1e79843f4006b006d3ff9caa8d3499d78a6bce7786c45081851
MD5 hash:
678781b35e19044fe8b3524bba67d64e
SHA1 hash:
adcffce2e8b9f3bd1f4275623fd4880c420a56af
Link:
https://www.unpac.me/results/080721b2-a4e9-43f5-9c60-f7d38e9fc294/
SH256 hash:
4907d605006941e47d8314f20ae41e7a84e70c2ed09b70fed7ce1c63b601a425
MD5 hash:
2589fed7d535c5375757135ccb210ad5
SHA1 hash:
545229f4e6a52fea7cf854109a9ae9950665896f
Link:
https://www.unpac.me/results/080721b2-a4e9-43f5-9c60-f7d38e9fc294/
SH256 hash:
7a524ab3c8435752dd2f42d1cd01558d10938909564b578b841f93f4727b832f
MD5 hash:
f4b433b4a8e18670bd9bdeaf49b93cb7
SHA1 hash:
db395e0a2f0365c0881a370b9dcbbf33010794c7
Link:
https://www.unpac.me/results/080721b2-a4e9-43f5-9c60-f7d38e9fc294/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a524ab3c8435752dd2f42d1cd01558d10938909564b578b841f93f4727b832f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/147464/

Comments