MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ace65e8c9b2a4f79b1e29381e4f9885c6e45a96daf7cbad55cbdbe6cda329a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	7ace65e8c9b2a4f79b1e29381e4f9885c6e45a96daf7cbad55cbdbe6cda329a6
SHA3-384 hash:	9affc5667cc7c431e869562f35e0c3dd2624a53290f86c73e6431c44662fb49965daae76b8a90df82551ffa3652d1a04
SHA1 hash:	d873b72fc56c86cd4543bca5ae5ca0ee3046e9b3
MD5 hash:	759b49238cc787420a29ba23ac177aa7
humanhash:	bakerloo-table-orange-fanta
File name:	cotización.xls.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	414'208 bytes
First seen:	2021-10-04 09:25:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:DtLiERQ+3HwOz37lwNcrJp79hVYYb7mZZ1To3bo2amQ4U0Lwh+SrMIt0:YESoPzJTjF+Vo386dUQw8
Threatray	10'633 similar samples on MalwareBazaar
TLSH	T1B294F1786373A750CD7887F42928F6928778642A1069C37C5DDDE4ED3FA27B44AE0A43
Reporter	abuse_ch
Tags:	AgentTesla ESP exe geo

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cotización.xls.exe

Verdict:

Suspicious activity

Analysis date:

2021-10-04 09:41:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cf122f44-d2e5-4932-ba0d-543a1cac75a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/194509/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615c0f1cb95458900cdc5fe4/reports/2a3f4ed5-86a6-440a-8f04-14638da8cf9a/overview

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8fc9a921-73d2-45ce-8d32-cccf55fe9f40

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/863772

Signature

.NET source code contains potential unpacker

Found malware configuration

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7ace65e8c9b2a4f79b1e29381e4f9885c6e45a96daf7cbad55cbdbe6cda329a6/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-04 09:25:23 UTC

AV detection:

8 of 45 (17.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=plhgl2gjwksppgy6fe4b4t4yqxdoiwuw3l34xlkvzpn6ntndfgta._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

268ca772e3e7bef1a82759917e3b9c4377869aa7cb04a829397978adf495c340

AgentTesla

28361df2e00fefcda07f805ea5c17613194fd69b28f143d393f8aeb123cc5eb8

AgentTesla

620c140c63e18539f6e94c7310b9705bde63425fc8f10628ef24356a26f7db24

AgentTesla

72684a74349ce5fc82b27e2a5db12508ff040c352f920ed69fc688162f722c74

AgentTesla

b7e958ad3d7b10e4a79344e347a8f012f81e4caeb4007fbe0e6dd816bd48e221

AgentTesla

bec15fdabcc004c876a014db3ddf35482d79b606aac9430446878f9cc90c8161

AgentTesla

cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8

AgentTesla

d70dd46e7665afd47e252273c19314500682a1aede68b0d2dbfb653a96468fe1

AgentTesla

eb9581db02db6a23a836ba53574cf0d01bd50a6d368f10f77889a441bcb911cf

AgentTesla

+ 10'623 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211004-ldmkkagber/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

e60c71a3cafa86b370e02270a19023068c2a9491e6e621fac6cda033eb488081

MD5 hash:

132db1617757bd8770383741aa28b9fa

SHA1 hash:

d77cf66e14b5935df3ab42d51131d135a5e897fa

Link:

https://www.unpac.me/results/cfb5df60-e63c-4598-839c-0a9a764cdac7/

SH256 hash:

2f0661bcb7ca5e75bfb0bd826ebd6fdf2c93ed6a7d0b815b0cf35c4c8b50619f

MD5 hash:

c08034a961fbdeb70d9b655fd266b135

SHA1 hash:

a61467aabb5bef860a972e0460fce856f963155b

Link:

https://www.unpac.me/results/cfb5df60-e63c-4598-839c-0a9a764cdac7/

SH256 hash:

fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03

MD5 hash:

c380b6831f456ac5cac08c78c0e4dada

SHA1 hash:

3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c

Link:

https://www.unpac.me/results/cfb5df60-e63c-4598-839c-0a9a764cdac7/

SH256 hash:

7ace65e8c9b2a4f79b1e29381e4f9885c6e45a96daf7cbad55cbdbe6cda329a6

MD5 hash:

759b49238cc787420a29ba23ac177aa7

SHA1 hash:

d873b72fc56c86cd4543bca5ae5ca0ee3046e9b3

Link:

https://www.unpac.me/results/cfb5df60-e63c-4598-839c-0a9a764cdac7/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7ace65e8c9b2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ace65e8c9b2a4f79b1e29381e4f9885c6e45a96daf7cbad55cbdbe6cda329a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194509/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample