MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ab15fce2bcad498858c4340f6cd0bbf540e5de324913d0f40c7863b9009e989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ab15fce2bcad498858c4340f6cd0bbf540e5de324913d0f40c7863b9009e989
SHA3-384 hash: 0c049e81a6c55270ca8a3fb5899c514960aaadc1f5ccd354163550cfe515e32c39bd5ea16bfd137b3b9e3e33e919a95e
SHA1 hash: e6623b32ef46c97bbe2c18234d1f48f57aae23e7
MD5 hash: c6e72fcd44443a6165f3607ae0273162
humanhash: winter-maryland-india-seventeen
File name:c6e72fcd44443a6165f3607ae0273162.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:554'496 bytes
First seen:2022-01-31 12:19:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:LVVO7JO3pIt+AIlRe8jHQNIUuLRxT5s1jo1luxHiRgxQe3p:LVVOVoIEPlRed+/9yIlu46i4
Threatray 14'636 similar samples on MalwareBazaar
TLSH T14FC4BEB4A1A74581F00BC974657CFD7102B231E3E9CA0E3967792241CBEEF653E85A4E
File icon (PE):PE icon
dhash icon 8cfcd89cccc8d0b0 (23 x AgentTesla, 14 x Formbook, 4 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO P42308 - MIR.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-31 08:39:09 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/14f74492-5012-4375-8161-98674442ea37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228428/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f7d3fbd7fd65ae55fc81b0/reports/c6277bc3-a515-4725-970b-fb522c49908f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff10061a-fc75-4ab4-a920-1e016849b49d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930811
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ab15fce2bcad498858c4340f6cd0bbf540e5de324913d0f40c7863b9009e989/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 12:20:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 43 (48.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkyv7trlzlkjrbmminapntilx5ka4xpdesit2d2ay6ddxeaj5geq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20f09a52fe64148515141a312791701a1251b91c0afd2b8ff9de17e5a7485684
AgentTesla
30a2e2f5aaecca9e137bb27b823011c4e7e994525cbf16a61ed47ac682ca6717
AgentTesla
3af0a9ad9d1f4116b70e681dd60f9d10a05050574585382c0ac0dad2ccf2a3e5
AgentTesla
43f6edcd253f873d92084360b73166040790c8bf7ca9ea125a736b67cb5f3d58
AgentTesla
51af0a175f8c7ef9d3e6b06b54ed1c8b4175f21ebac90816c6c36fd0e62ef654
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325
AgentTesla
eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
fb263756d4181bd3dbf028d68ee1c342c1f6699a02727d49b1bfd09a663b5804
AgentTesla
+ 14'626 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220131-phsh6ahbcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
77d43dca7bc6710a0b2bf0907f94b7fb3246e5fc90c8246474a8170563b193d7
MD5 hash:
40e58f39949dac945984c0a401e15acd
SHA1 hash:
ace0b41e147ede857d57ddef04adc877426cad6d
Link:
https://www.unpac.me/results/896f6397-7bbb-47ec-a996-5f86fa22f2b3/
SH256 hash:
fd0a5dcb995147a27cb9b48b1f98fbf4c51c072cbc071905126f975e2dcba288
MD5 hash:
61d4caf3b9755012117e391d03d5d4b9
SHA1 hash:
a649d7e2bc78ed0b28278ac52413d481d4a0e1c5
Link:
https://www.unpac.me/results/896f6397-7bbb-47ec-a996-5f86fa22f2b3/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/896f6397-7bbb-47ec-a996-5f86fa22f2b3/
SH256 hash:
7ab15fce2bcad498858c4340f6cd0bbf540e5de324913d0f40c7863b9009e989
MD5 hash:
c6e72fcd44443a6165f3607ae0273162
SHA1 hash:
e6623b32ef46c97bbe2c18234d1f48f57aae23e7
Link:
https://www.unpac.me/results/896f6397-7bbb-47ec-a996-5f86fa22f2b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/7ab15fce2bcad498858c4340f6cd0bbf540e5de324913d0f40c7863b9009e989

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 7ab15fce2bcad498858c4340f6cd0bbf540e5de324913d0f40c7863b9009e989

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/228428/
  
URLhaus
https://urlhaus.abuse.ch/url/2017865/
  
Delivery method
Distributed via web download

Comments